使用CloudFormation和API Gateway代理进行设置时，Lambda权限错误

2 回答

• 0

  首先，我注意到你的 IntegrationHttpMethod 是 ANY . 对于Lambdas，除非您使用 {proxy+} 配置，否则请尝试使用 POST . 我'm pretty sure the CloudFormation docs are still out of date for this, but you'将在this answer中找到一些有用的信息 .

  我注意到的第二件事是格式错误的代理响应，在您的情况下可能只是一个配置错误 . 只是为了排除这一点，在AWS支持中心处理格式错误的代理响应是answered . 基本上，您的lambda响应应采用以下格式，包括不添加任何额外的键 .

  {
      "isBase64Encoded": true|false,
      "statusCode": httpStatusCode,
      "headers": { "headerName": "headerValue", ... },
      "body": "..."
  }
  

  您可以使用支持文档上的示例函数代替常规函数，以便您可以隔离问题 .

  回复于 2024-04-25T15:45:48+08:00
• 0

  经过一些反复试验，结合Miles的建议，我已经到达了正在运行的CloudFormation脚本：

  AWSTemplateFormatVersion: 2010-09-09
  Description: An API that proxies requests to another HTTP endpoint
  
  Resources:
    MyFunction:
      Type: 'AWS::Lambda::Function'
      Properties:
        Handler: samplefunction.lambda_handler
        Runtime: python2.7
        Code:
          S3Bucket: "ilya-lambdas"
          S3Key: "lambda-code.zip"
        Role: !Join ["", ["arn:aws:iam::", !Ref "AWS::AccountId", ":role/service-role/basic_lambda_role"] ]
  
  
    Api:
      Type: 'AWS::ApiGateway::RestApi'
      Properties:
        Name: foo3
  
    Resource:
      Type: 'AWS::ApiGateway::Resource'
      Properties:
        ParentId: !GetAtt Api.RootResourceId
        RestApiId: !Ref Api
        PathPart: 'test'
  
  
    RootMethod:
      Type: 'AWS::ApiGateway::Method'
      Properties:
        AuthorizationType: NONE
        HttpMethod: ANY
        ResourceId: !GetAtt Api.RootResourceId
        RestApiId: !Ref Api 
        Integration:
            IntegrationHttpMethod: POST
            Type: AWS_PROXY
            PassthroughBehavior: WHEN_NO_MATCH
            Uri: !Join ["", ["arn:aws:apigateway:", "us-east-1", ":lambda:path/2015-03-31/functions/", !GetAtt MyFunction.Arn, "/invocations"] ]
  
    ProxyMethod:
        Type: 'AWS::ApiGateway::Method'
        Properties:
          HttpMethod: ANY
          ResourceId: !Ref Resource
          RestApiId: !Ref Api
          AuthorizationType: NONE
          Integration:
            IntegrationHttpMethod: POST
            Type: AWS_PROXY
            Uri: !Join ["", ["arn:aws:apigateway:", "us-east-1", ":lambda:path/2015-03-31/functions/", !GetAtt MyFunction.Arn, "/invocations"] ]
            PassthroughBehavior: WHEN_NO_MATCH
  
    FunctionPermissions:
      Type: "AWS::Lambda::Permission"
      Properties: 
        Action: "lambda:InvokeFunction"        
        FunctionName: !GetAtt MyFunction.Arn
        Principal: "apigateway.amazonaws.com"
        SourceArn: !Join [ "", ["arn:aws:execute-api:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":", !Ref Api, "/*" ] ] 
  
    Deployment:
      DependsOn:
        - MyFunction
        - RootMethod
        - ProxyMethod
      Type: 'AWS::ApiGateway::Deployment'
      Properties:
        RestApiId: !Ref Api
        StageName: prod
  

  我昨天（不工作）和这个（工作）之间的差异总结：

  • 从 Integration 部分删除了 Credentials 对象 .

  • 将 IntegrationHttpMethod 从ANY更改为POST（感谢Miles指出这一点）

  • 在 FunctionPermissions 下更改 SourceArn 以 /* 而不是 /*/*/* 结束

  虽然在这种情况下我的lambda函数的响应不是问题，但重要的是它的格式正确 . 所以这是我的功能，希望在一个地方拥有它将对人们有所帮助 .

  def lambda_handler(event, context):
      response = {
          "isBase64Encoded": "false",
          "statusCode": 200,
          "headers": { "Content-Type": "application/json"},
          "body": "hello from sample function"
      }
  
      return response
  

  回复于 2024-04-25T15:45:48+08:00