如何更改AWS CodeStar项目的CloudFormation模板中的Lambda函数的IAM角色?更改CodeStar项目中CloudFormation模板中Lambda的IAM角色?
我已经创建了AWS CodeStar项目(Web服务,基于Lambda,Node.js)。默认情况下,AWS CodeStar生成以下CloudFormation:
AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar
Parameters:
ProjectId:
Type: String
Description: AWS CodeStar projectID used to associate new resources to team members
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs4.3
Role:
Fn::ImportValue:
!Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']]
Events:
GetEvent:
Type: Api
Properties:
Path:/
Method: get
PostEvent:
Type: Api
Properties:
Path:/
Method: post
现在,我想换成我自己的角色这个角色,因为我需要为lambda函数访问其他AWS资源补充政策。同时我也删除API网关,因为我将添加一个调度后触发LAMBDA调用:
AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar
Parameters:
ProjectId:
Type: String
Description: AWS CodeStar projectID used to associate new resources to team members
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs4.3
Role: !Ref HelloWorldLambdaRole
HelloWorldLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
然而,当我承诺,推动这些变化,AWS CodePipeline无法更新CloudFormation模板:
CREATE_FAILED AWS::IAM::Role EchoLambdaRole API: iam:CreateRole User: arn:aws:sts::[accountId]:assumed-role/CodeStarWorker-[projectId]-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::[accountId]:role/awscodestar-[projectId]-lambda-HelloWorldLambdaRole-ABCDEF123456
在此基础上的反馈,我的结论是CodeStarWorker-[projectId]-CloudFormation/AWSCloudFormation
角色无权创建IAM角色。然而,这个角色对我的CloudFormation模板是隐藏的,而且我的理解是CodeStar自动设置的。作为AWS账户管理员,我只需编辑相关策略,但恕我直言,这不是解决此问题的方法。
编辑:
我已经检查IAM配置在我的帐户。一个aws-codestar-service-role已创建,它与AWSCodeStarServiceRole
政策具有以下语句(其它报表中,见链接了解详细信息)相关:
{
"Sid": "ProjectWorkerRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/CodeStarWorker*",
"arn:aws:iam::*:policy/CodeStarWorker*",
"arn:aws:iam::*:instance-profile/awscodestar-*"
]
},
也有CodeStarWorker-[projectId]-CloudFormation
的作用,有一个名为CodeStarWorkerCloudFormationRolePolicy
内嵌政策具有以下配置:
{
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::aws-chargeodestar-eu-west-1-[accountId]-[projectId]-pipeline",
"arn:aws:s3:::aws-codestar-eu-west-1-[accountId]-[projectId]-pipeline/*"
],
"Effect": "Allow"
},
{
"Action": [
"codestar:SyncResources",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:AddPermission",
"lambda:UpdateFunction",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration",
"lambda:RemovePermission",
"apigateway:*",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::[accountId]:role/CodeStarWorker-[projectId]-Lambda"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:CreateChangeSet"
],
"Resource": [
"arn:aws:cloudformation:eu-west-1:aws:transform/Serverless-2016-10-31",
"arn:aws:cloudformation:eu-west-1:aws:transform/CodeStar"
],
"Effect": "Allow"
}
]
}
自从我创建的项目中,CodeStar_[projectId]_Owner
政策已经直接连接到我的用户。
编辑2:
尽管我自己的建议,我试图通过添加以下政策声明更新CodeStarWorker-[projectId]-CloudFormation
作用的内联CodeStarWorkerCloudFormationRolePolicy
:
{
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::699602212296:role/awscodestar-[projectId]-*"
],
"Effect": "Allow"
}
然而,这引起了CloudFormation中出现以下错误:
CREATE_FAILED AWS::CodeStar::SyncResources SyncResources123456789012 com.amazon.coral.service.InternalFailure
请您详细说明一下吗?我不明白我应该如何修改服务角色?我确实有一个'aws-codestar-service-role'(参见我的编辑),并且已经验证它具有作为“ProjectWorkerRoles”Sid的一部分的'iam:CreateRole'(和'iam:DeleteRole')如你的答案中所建议的那样。 – matsev
Hi matsev,看起来像ProjectWorker由CodeStar创建的IAM角色不会继承任何创建或删除角色操作,因为该策略已经具有PassRole但未通过,所以我上面的建议无济于事。根据您的编辑,我建议使用AWS提出支持凭单(对不起)。 – NHol