1

我收到此错误:Error: Error creating Lambda function: InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2尝试使用自定义 Lambda 角色创建具有 IAM 权限的 lambda 时:

  ...
  statement {
    sid = "MyCustomLamdaStatementDescribe"
    actions = [
      "ec2:DescribeNetworkInterfaces",
    ]
    resources = ["*"]
  }
  statement {
    sid = "MyCustomLamdaStatementCreateDelete"
    actions = [
        "ec2:AttachNetworkInterface",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:AssignPrivateIpAddresses",
        "ec2:UnassignPrivateIpAddresses",
        "ec2:DescribeVpcs"
    ]
    resources = [
      "*"
    ]
    condition {
      test     = "ArnEquals"
      variable = "ec2:vpc"
      values = [
        "arn:aws:ec2:${var.my_region}:${var.my_account_id}:vpc/${var.my_vpc_id}",
      ]
    }
  }
  ...

创建 lambda 可以在没有任何条件的情况下完美运行(如 AWS Lambda 中所指出的:提供的执行角色没有权限在 EC2 上调用 DescribeNetworkInterfaces),但我需要该角色能够匹配 VPC(或ec2:Subnetarn)。

ArnEquals注意:我用and尝试了 condition.test StringEquals

4

2 回答 2

1

如果您想将此限制为仅一个 VPC,则必须拆分每个操作。

ec2:DescribeNetworkInterfaces只能在Resource: *没有条件的情况下使用(请参阅文档)。但这本身是相对无害的。其他可以限制。

这是 YAML (CloudFormation) 中的解决方案。这并不完美。特别是我无法弄清楚如何限制资源或将条件应用于ec2:DeleteNetworkInterface. 当我尝试时,我得到了同样的错误。

- Effect: Allow
  Action:
    - 'ec2:CreateNetworkInterface'
  Resource:
    - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:security-group/${SecGrp}'
    - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${SubnetA}'
    - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${SubnetB}'
    - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${SubnetC}'
  Condition:
    StringEquals:
      'ec2:Vpc': !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${VPC}'
- Effect: Allow
  Action:
    - 'ec2:CreateNetworkInterface'
  Resource:
    - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
    # VPC condition not supported for this type of resource for this action
- Effect: Allow
  Action:
    - 'ec2:DeleteNetworkInterface'
  Resource:
    # I don't know why we need the first
    # the docs say the second is sufficient, but it doesn't work
    - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:*'
    - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
  # the docs say this is supported, but it's not
  # Condition:
  #   StringEquals:
  #     'ec2:Vpc': !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${VPC}'

- Effect: Allow
  Action:
    # this action must have resource: * and no conditions
    # cannot be restricted
    - 'ec2:DescribeNetworkInterfaces'
  Resource:
    - '*'
- Effect: Allow
  Action:
    - 'ec2:AssignPrivateIpAddresses'
    - 'ec2:UnassignPrivateIpAddresses'
  Resource:
    - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'

  Condition:
    StringEquals:
      'ec2:Vpc': !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${VPC}'
于 2021-12-29T06:32:21.247 回答
-1

您可以通过附加以下托管策略来解决此问题:

arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

如此处所述:https ://www.maxivanov.io/deploy-aws-lambda-to-vpc-with-terraform/#add-lambda-to-the-vpc

于 2021-12-28T11:31:56.877 回答