如何在AWS CodeStar项目的CloudFormation模板中更改Lambda函数的IAM角色?
我创建了一个AWS CodeStar项目(Web服务,基于Lambda,Node.js) . 默认情况下,AWS CodeStar会生成以下CloudFormation:
AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar
Parameters:
ProjectId:
Type: String
Description: AWS CodeStar projectID used to associate new resources to team members
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs4.3
Role:
Fn::ImportValue:
!Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']]
Events:
GetEvent:
Type: Api
Properties:
Path: /
Method: get
PostEvent:
Type: Api
Properties:
Path: /
Method: post
现在,我想用自己的角色替换此角色,因为我需要为Lambda函数添加策略以访问其他AWS资源 . 同时我也删除了API网关,因为我将添加一个调度程序以便稍后触发Lambda调用:
AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar
Parameters:
ProjectId:
Type: String
Description: AWS CodeStar projectID used to associate new resources to team members
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs4.3
Role: !Ref HelloWorldLambdaRole
HelloWorldLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
但是,当我提交并推送这些更改时,AWS CodePipeline无法更新CloudFormation模板:
CREATE_FAILED AWS::IAM::Role EchoLambdaRole API: iam:CreateRole User: arn:aws:sts::[accountId]:assumed-role/CodeStarWorker-[projectId]-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::[accountId]:role/awscodestar-[projectId]-lambda-HelloWorldLambdaRole-ABCDEF123456
根据这些反馈,我得出结论, CodeStarWorker-[projectId]-CloudFormation/AWSCloudFormation 角色无权创建IAM角色 . 但是,这个角色对我的CloudFormation模板是隐藏的,据我所知,它是由CodeStar自动设置的 . 作为AWS账户管理员,我只需编辑相关的策略,但恕我直言,这不是解决此问题的方法 .
Edit:
我已在我的帐户中检查过IAM配置 . 已创建aws-codestar-service-role,它与具有以下语句的 AWSCodeStarServiceRole 策略关联(在其他语句中,请参阅链接以获取详细信息):
{
"Sid": "ProjectWorkerRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/CodeStarWorker*",
"arn:aws:iam::*:policy/CodeStarWorker*",
"arn:aws:iam::*:instance-profile/awscodestar-*"
]
},
还有 CodeStarWorker-[projectId]-CloudFormation 角色,它具有名为 CodeStarWorkerCloudFormationRolePolicy 的内联策略,其配置如下:
{
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::aws-chargeodestar-eu-west-1-[accountId]-[projectId]-pipeline",
"arn:aws:s3:::aws-codestar-eu-west-1-[accountId]-[projectId]-pipeline/*"
],
"Effect": "Allow"
},
{
"Action": [
"codestar:SyncResources",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:AddPermission",
"lambda:UpdateFunction",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration",
"lambda:RemovePermission",
"apigateway:*",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::[accountId]:role/CodeStarWorker-[projectId]-Lambda"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:CreateChangeSet"
],
"Resource": [
"arn:aws:cloudformation:eu-west-1:aws:transform/Serverless-2016-10-31",
"arn:aws:cloudformation:eu-west-1:aws:transform/CodeStar"
],
"Effect": "Allow"
}
]
}
由于我已创建项目,因此 CodeStar_[projectId]_Owner 策略已直接附加到我的用户 .
Edit 2:
尽管我自己建议,但我尝试通过添加以下策略声明来更新 CodeStarWorker-[projectId]-CloudFormation 角色的内联 CodeStarWorkerCloudFormationRolePolicy :
{
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::699602212296:role/awscodestar-[projectId]-*"
],
"Effect": "Allow"
}
但是,这会在CloudFormation中导致以下错误:
CREATE_FAILED AWS::CodeStar::SyncResources SyncResources123456789012 com.amazon.coral.service.InternalFailure
2 回答
CodeStar Service使用名为aws-codestar-service-role的服务角色,并带有以下语句 . 如果允许项目的动态辅助角色继承IAM角色创建操作,则可能需要修改此服务角色 . 否则CodeStar可能会覆盖您的更改 .
另请参阅http://docs.aws.amazon.com/codestar/latest/userguide/access-permissions.html,但您可能已经猜到了,它可以覆盖您的用例 .
我相信答案是CodeStar似乎与它在不同情况下创建角色所使用的命名约定不一致 . 如果在创建角色时提供前缀为
CodeStar-[projectId]*的名称,则这将满足CodeStarWorker- [projectId] -CloudFormation角色的IAM策略 . 即包括`RoleName:!Sub 'CodeStar-$-....' .Further information 当我遇到同样的错误时,我还要更新IAM策略,然后注意到CodeStarWorker- [projectId] -CloudFormation角色的IAM策略中的权限边界 . 将错误中的角色与现有角色进行比较:
错误中的角色:
awscodestar-[projectId]-lambda-HelloWorldLambdaRole-ABCDEF123456.CodeStar创建的角色示例代码:
CodeStar-[projectId]-Execution另外一点是,如果您使用SAM CLI来CodeStar,这会让您感到困惑,因为CLI可以指定没有角色的lambda函数,SAM会为您创建它,例如:
但是,在CodeStar中这不起作用,看起来您需要遵循CodeStar的示例并指定功能资源,以及具有正确名称前缀的角色!例如