如何将IAM权限添加到CloudFront以与Lambda@Edge相关联？

发布于 2025-02-01 16:48:46 字数 1596 浏览 6 评论 0 原文

我正在尝试使用CDK更新我的CloudFront发行版。在更新时，它提到了此错误消息。

Lambda@Edge cannot retrieve the specified Lambda function. Update the IAM policy to add permission: lambda:GetFunction for resource: arn:aws:lambda:us-east-1:xxxxxxxx:function:edge-lambda-stack-xxxxxxx-xxxxxxxx-xxxxxxx:1

检查后，我发现此aws docs链接

但是，我无法理解在哪里添加这些权限的地方，有人可以指导我在哪里添加lambda：get ferunction：get ferfircrient。

CDK代码

 const uriRedirector = new cloudfront.experimental.EdgeFunction(
      this,
      'UriRedirector',
      {
        code: lambda.Code.fromAsset('dist/events/object-cache/uri-redirector'),
        runtime: lambda.Runtime.NODEJS_14_X,
        handler: 'index.handle',
      }
    )

this.distribution = new cloudfront.Distribution(this, 'Distribution2', {
      defaultBehavior: {
        origin: s3Origin,
        edgeLambdas: [
          {
            functionVersion: uriRedirector.currentVersion,
            eventType: cloudfront.LambdaEdgeEventType.ORIGIN_REQUEST,
          },
        ],
        originRequestPolicy: defaultBehaviourOriginRequestPolicy,
        viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.HTTPS_ONLY,
        allowedMethods: cloudfront.AllowedMethods.ALLOW_ALL,
      },
....
enter code here
const cfnDistribution = this.distribution.node
  .defaultChild as cloudfront.CfnDistribution
cfnDistribution.overrideLogicalId(props.oldDistributionLogicalId)

原文

I am trying to update my CloudFront distribution using CDK. While updating, it mentions this error message.

Lambda@Edge cannot retrieve the specified Lambda function. Update the IAM policy to add permission: lambda:GetFunction for resource: arn:aws:lambda:us-east-1:xxxxxxxx:function:edge-lambda-stack-xxxxxxx-xxxxxxxx-xxxxxxx:1

After inspecting, i found this aws docs link https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html

However i am unable to understand where to add these permissions, can somebody guide me where to add lambda:GetFunction permission.

CDK Code

 const uriRedirector = new cloudfront.experimental.EdgeFunction(
      this,
      'UriRedirector',
      {
        code: lambda.Code.fromAsset('dist/events/object-cache/uri-redirector'),
        runtime: lambda.Runtime.NODEJS_14_X,
        handler: 'index.handle',
      }
    )

this.distribution = new cloudfront.Distribution(this, 'Distribution2', {
      defaultBehavior: {
        origin: s3Origin,
        edgeLambdas: [
          {
            functionVersion: uriRedirector.currentVersion,
            eventType: cloudfront.LambdaEdgeEventType.ORIGIN_REQUEST,
          },
        ],
        originRequestPolicy: defaultBehaviourOriginRequestPolicy,
        viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.HTTPS_ONLY,
        allowedMethods: cloudfront.AllowedMethods.ALLOW_ALL,
      },
....
enter code here
const cfnDistribution = this.distribution.node
  .defaultChild as cloudfront.CfnDistribution
cfnDistribution.overrideLogicalId(props.oldDistributionLogicalId)

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

深爱成瘾 2025-02-08 16:48:47

错误是误导的。尽管它说lambda@edge需要 lambda：getFunction 权限，但实际上是创建（或更新）的用户或角色需要此功能和更多权限。您可以在部分所需的IAM noreferrer“> IAM权限。 iam：createServiceLinkedrole 用于创建服务角色一次，我通常不包括它。

另请注意，所有 lambda：... 权限应具有lambda函数版本ARN，例如 arn：aws：aws：lambda：us-east-1：123456789012：功能：函数：my-unction：my-unction： 2 ，这是非常不便的。功能ARN ARN：AWS：LAMBDA：US-EAST-1：123456789012：功能：my-unction 无法正常工作。幸运的是，您可以用 *替换版本，例如 arn：aws：lambda：us-east-1：123456789012：函数：我的功能： *

您的用户或角色策略应具有以下语句：

{
    "Effect": "Allow",
    "Action": [
        "lambda:GetFunction",
        "lambda:EnableReplication*",
        "lambda:DisableReplication*"
    ],
    "Resource": [
        "arn:aws:lambda:us-east-1:123456789012:function:my-function:*"
    ]
},
{
    "Effect": "Allow",
    "Action": [
        "cloudfront:CreateDistribution"
    ],
    "Resource": [
        "*"
    ]
}

The error is misleading. Though it says that Lambda@Edge needs lambda:GetFunction permission, it's really the user or role that creates (or updates) a CloudFront distribution that needs this and a few more permissions. You can find all the permissions needed in IAM permissions required to associate Lambda@Edge functions with CloudFront distributions section. iam:CreateServiceLinkedRole is used to create a service role only once, I usually don't include it.

Also note, that all lambda:... permissions should have a lambda function version ARN, like arn:aws:lambda:us-east-1:123456789012:function:my-function:2, which is very inconvenient. Function ARN arn:aws:lambda:us-east-1:123456789012:function:my-function won't work. Fortunately, you can replace the version with *, like arn:aws:lambda:us-east-1:123456789012:function:my-function:*

Your user or role policy should have statements like the following:

{
    "Effect": "Allow",
    "Action": [
        "lambda:GetFunction",
        "lambda:EnableReplication*",
        "lambda:DisableReplication*"
    ],
    "Resource": [
        "arn:aws:lambda:us-east-1:123456789012:function:my-function:*"
    ]
},
{
    "Effect": "Allow",
    "Action": [
        "cloudfront:CreateDistribution"
    ],
    "Resource": [
        "*"
    ]
}

回复收藏 0 原文

悲欢浪云 2025-02-08 16:48:47

您将在IAM中创建IAM策略，并将策略附加到用户或角色
默认情况下，AWS lambda自动创建角色，您可以将策略附加到角色

策略

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Lambda",
      "Effect": "Allow",
      "Action": [
        "lambda:AddPermission",
        "lambda:CreateFunction",
        "lambda:DeleteFunction",
        "lambda:GetFunction",
        "lambda:GetFunctionConfiguration",
        "lambda:ListTags",
        "lambda:RemovePermission",
        "lambda:TagResource",
        "lambda:UntagResource",
        "lambda:UpdateFunctionCode",
        "lambda:UpdateFunctionConfiguration",
        "lambda:GetLayerVersion"
      ],
      "Resource": [
        "arn:aws:lambda:us-east-1:xxxxxxxx:function:edge-lambda-stack-xxxxxxx-xxxxxxxx-xxxxxxx:*"
      ]
    }
  ]
}

You will create IAM policy in IAM and attach policy to user or role
By default AWS Lambda automatically create role you can attach policy to role

Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Lambda",
      "Effect": "Allow",
      "Action": [
        "lambda:AddPermission",
        "lambda:CreateFunction",
        "lambda:DeleteFunction",
        "lambda:GetFunction",
        "lambda:GetFunctionConfiguration",
        "lambda:ListTags",
        "lambda:RemovePermission",
        "lambda:TagResource",
        "lambda:UntagResource",
        "lambda:UpdateFunctionCode",
        "lambda:UpdateFunctionConfiguration",
        "lambda:GetLayerVersion"
      ],
      "Resource": [
        "arn:aws:lambda:us-east-1:xxxxxxxx:function:edge-lambda-stack-xxxxxxx-xxxxxxxx-xxxxxxx:*"
      ]
    }
  ]
}

回复收藏 0 原文

~没有更多了~