使用IAM角色auth类型从步骤函数中调用AWS API网关
我有使用情况,必须在其他AWS帐户中调用API GATWAY REST端点,他们给了我一个可以假设的角色,
我正在考虑两个选项:
- 生成Lambda的请求,并调用API
- 使用步骤函数以调用API
Q1。我个人认为选项2更好,但是您对第二
季度有何看法。我很难从步骤函数调用剩余端点以下是我的步骤函数定义
{
"Comment": "A description of my state machine",
"StartAt": "API Gateway Invoke",
"States": {
"API Gateway Invoke": {
"Type": "Task",
"Resource": "arn:aws:states:::apigateway:invoke",
"Parameters": {
"ApiEndpoint": "endpoint",
"Method": "GET",
"Path": "path",
"AuthType": "IAM_ROLE"
},
"End": true
}
}
}
IAM角色信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
扮演角色
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "role_arn"
}
}
策略在执行步骤函数时,我会在我获得此错误响应时
{
"resourceType": "apigateway",
"resource": "invoke",
"error": "ApiGateway.403",
"cause": {
"Message": "User:rolearn/hUAiLwbfPOsSKqarBDcdelSpeGIbyiZA is not authorized to access this resource"
}
}
,我尝试将完整的执行权限授予步骤函数,但是这无济于事 我会受到任何帮助,将不胜感激
I have use case where I have to invoke the api gatway rest endpoint in other aws account, they have given me a role to assume,
I am thinking of two options:
- generate the request from the lambda and call the api
- use step function to invoke the api
Q1. I personally think option 2 is better but what are your view on this
Q2. I have trouble invoking the rest endpoint from the step function here is my step function definition
{
"Comment": "A description of my state machine",
"StartAt": "API Gateway Invoke",
"States": {
"API Gateway Invoke": {
"Type": "Task",
"Resource": "arn:aws:states:::apigateway:invoke",
"Parameters": {
"ApiEndpoint": "endpoint",
"Method": "GET",
"Path": "path",
"AuthType": "IAM_ROLE"
},
"End": true
}
}
}
IAM role trust relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Policy to assume role
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "role_arn"
}
}
when I execute the step function I get this error response
{
"resourceType": "apigateway",
"resource": "invoke",
"error": "ApiGateway.403",
"cause": {
"Message": "User:rolearn/hUAiLwbfPOsSKqarBDcdelSpeGIbyiZA is not authorized to access this resource"
}
}
I have tried giving the full execution invoke permission to the step function but it didn't help
I am stuck any help would be appreciated
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
当前,没有资源策略的步骤功能和API网关之间的跨帐户集成。
我的猜测是,步骤功能无法担任角色。
Currently step function doesn't support cross account integration between step function and API gateway without resource policy.
My guess is the step function is failing to assume the role.