上下文:AWS、S3、Lambda、批处理。
我有一个在 S3 存储桶中上传文件时触发的 lambda。我希望 lambda 提交一个批处理作业。
(编辑:在 S3 和 Lambda 之间一切正常。问题出在 Lambda 和 Batch 之间。)
问:为了能够提交批处理作业,我必须赋予lambda什么角色?
在以下情况下,我的 lambda 得到一个AccessDeniedException并且无法提交作业:
const params = {
jobDefinition: BATCH_JOB_DEFINITION,
jobName: BATCH_JOB_NAME,
jobQueue: BATCH_JOB_QUEUE,
};
Batch.submitJob(params).promise() .then .......
这似乎是我一直在寻找的角色:batch:SubmitJob。使用这个角色,lambda 能够提交作业。
iamRoleStatements:
- Effect: Allow
Action:
- batch:SubmitJob
Resource: "arn:aws:batch:*:*:*"
您可以创建一个策略,例如AWS Batch Managed Policy,
以下策略允许管理员访问,您可以根据需要对其进行修改:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"batch:*",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeKeyPairs",
"ecs:DescribeClusters",
"ecs:Describe*",
"ecs:List*",
"logs:Describe*",
"logs:Get*",
"logs:TestMetricFilter",
"logs:FilterLogEvents",
"iam:ListInstanceProfiles",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": [
"arn:aws:iam::*:role/AWSBatchServiceRole",
"arn:aws:iam::*:role/ecsInstanceRole",
"arn:aws:iam::*:role/iaws-ec2-spot-fleet-role",
"arn:aws:iam::*:role/aws-ec2-spot-fleet-role",
"arn:aws:iam::*:role/AWSBatchJobRole*"
]
}
]
}
将策略附加到 lambda 并重试,请参阅AWS 文档