Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Cloudformation I want to add a policy that allows my Lamda to be invoked by the API gateway But I keep getting Error

0

Below id My Policy I keep getting errors pls help me with a solution and sample code.

Error

`

Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 10ec173a-9ca9-4b82-85f9-4b7f17cc148a; Proxy: null)

`

My Template

  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub 'LambdaExecutionRole-${AppId}'
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Principal:
            Service: [lambda.amazonaws.com]
          Action: ['sts:AssumeRole']
      Policies:
      # Policy:  [DynamoDB Policy]
      - PolicyName: DynamoDBAccessPolicy
        PolicyDocument:
          Version: "2012-10-17"
          # Statement:  []
          Statement:
          - Effect: Allow
            Action:
            - dynamodb:GetItem
            - dynamodb:PutItem
            - dynamodb:UpdateItem
            - dynamodb:DeleteItem
            - dynamodb:Query
            - dynamodb:Scan
            - dynamodb:BatchGetItem
            - dynamodb:BatchWriteItem
            - dynamodb:DescribeTable
            Resource: "*"
          - Effect: Allow
            Action:
            - dynamodb:ListStreams
            - dynamodb:DescribeStream
            - dynamodb:GetRecords
            - dynamodb:GetShardIterator
            Resource: "*"
            # Resource: "arn:aws:dynamodb:REGION:ACCOUNT_ID:table/TABLE_NAME/stream/*"
      # Policy:  [SQS Policy]
      - PolicyName: SQSAccessPolicy
        PolicyDocument:
          Version: "2012-10-17"
          # Statement:  []
          Statement:
          - Effect: Allow
            Action:
            - sqs:ReceiveMessage
            - sqs:DeleteMessage
            Resource: "*"
      # Policy:  [APIGateway Lambda Invocation Policy]
      - PolicyName: APIGatewayLambdaInvocationPolicy
        PolicyDocument:
          Version: "2012-10-17"
          # Statement:  []
          Statement:
          - Effect: Allow
            Action:
            - lambda:InvokeFunction
            Resource: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaAppId}-*
            Principal:
              Service: apigateway.amazonaws.com
  • secondabhi_aws EXPERTO
    hace 8 meses

    Can you edit your template and add snippet from starting please here. It seems like resources and parameters sections are missing, this would help us to find the issue overall.

Temas
Sin servidorCálculoSeguridad, identidad y cumplimientoWeb y móvil front-endRedes y entrega de contenidoGestión y gobierno
Etiquetas
AWS LambdaAWS Identity and Access ManagementAmazon API GatewayAWS CloudFormation
Idioma
English
Nafiu
preguntada hace 8 meses399 visualizaciones
1 Respuesta
4
Respuesta aceptada

Hi,

Based on your template, it seems you are trying to add resource policy to lambda function. You should be doing something like this:

   rLambdaInvokePermission:
       Type: 'AWS::Lambda::Permission'
       Properties:
                 FunctionName: <lambda_function_name>
                 Action: 'lambda:InvokeFunction'
                Principal: apigateway.amazonaws.com
                SourceArn: <APIARN>

Identity based policy document shouldn't contain principal. Resource based policy should have principal in it but identity based policy would error out if principal would be mentioned. You are trying to create resource based policy but formatted in identity based format.

Take look at AWS Resource Lambda Permissions.

Refer IAM Access Policies for more example/syntax for IAM policies. Also, take a look at this re:Post Knowledge Center Article, which exactly talks about this.

Hope it helps.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERTO
secondabhi_aws
respondido hace 8 meses
profile pictureAWS
EXPERTO
iBehr
revisado hace 8 meses
  • secondabhi_aws EXPERTO
    hace 8 meses

    @nafiu, It seems like you are trying to add lambda invoke permission for your your API, I just added template snippet. Please take a look and let me know if you have any questions.

  • Nafiu
    hace 8 meses

    Thank you so much

  • secondabhi_aws EXPERTO
    hace 8 meses

    Keep it as separate resource. This block would not go inside any role.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante