AWS IAM角色的变量可以授予Lambda功能的权限

发布于 2025-02-05 17:06:07 字数 748 浏览 2 评论 0原文

我试图弄清楚是否可以设计一个AWS IAM角色，该角色将根据调用资源的名称动态地授予资源许可。例如，我目前具有授予lambda函数权限创建和写入CloudWatch日志的角色，看起来像这样：

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "CWLog",
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/MyLambdaFunction*"
    }
}

我想知道是否有一种方法可以替换字符串 mylambdafunction for 使用一些 $ {aws：nameofthelambdafunction} 变量调用lambda函数，这样我就可以拥有一个通用策略，允许函数仅写入其特定的CW日志组，我可以将其附加到不同的lambda角色 - 资源语句看起来像：“资源”：“ ARN：AWS：logs：*：*：log-group：/aws/lambda/$ {aws：namefthelambdafunction}*”

是这样吗？

原文

I am trying to figure out if it is possible to design an AWS IAM role that would dynamically grant permission to resource based on the name of the calling resource. For example I currently have a role that grants a Lambda function permission to create and write CloudWatch logs, which looks like this:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "CWLog",
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/MyLambdaFunction*"
    }
}

I am wondering if there is a way to substitute the string MyLambdaFunction for the name of the calling Lambda function using some ${aws:NameOfTheLambdaFunction} variable, so that I can have a generic policy allowing functions to write only to their specific CW log groups that I can attach to different Lambda roles - with the resource statement looking like: "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/${aws:NameOfTheLambdaFunction}*"

Is something like this possible?

分享到QQ

分享到微博