En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Cloudformation I want to add a policy that allows my Lamda to be invoked by the API gateway But I keep getting Error

0

Below id My Policy I keep getting errors pls help me with a solution and sample code.

Error

`

Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 10ec173a-9ca9-4b82-85f9-4b7f17cc148a; Proxy: null)

`

My Template

  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub 'LambdaExecutionRole-${AppId}'
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Principal:
            Service: [lambda.amazonaws.com]
          Action: ['sts:AssumeRole']
      Policies:
      # Policy:  [DynamoDB Policy]
      - PolicyName: DynamoDBAccessPolicy
        PolicyDocument:
          Version: "2012-10-17"
          # Statement:  []
          Statement:
          - Effect: Allow
            Action:
            - dynamodb:GetItem
            - dynamodb:PutItem
            - dynamodb:UpdateItem
            - dynamodb:DeleteItem
            - dynamodb:Query
            - dynamodb:Scan
            - dynamodb:BatchGetItem
            - dynamodb:BatchWriteItem
            - dynamodb:DescribeTable
            Resource: "*"
          - Effect: Allow
            Action:
            - dynamodb:ListStreams
            - dynamodb:DescribeStream
            - dynamodb:GetRecords
            - dynamodb:GetShardIterator
            Resource: "*"
            # Resource: "arn:aws:dynamodb:REGION:ACCOUNT_ID:table/TABLE_NAME/stream/*"
      # Policy:  [SQS Policy]
      - PolicyName: SQSAccessPolicy
        PolicyDocument:
          Version: "2012-10-17"
          # Statement:  []
          Statement:
          - Effect: Allow
            Action:
            - sqs:ReceiveMessage
            - sqs:DeleteMessage
            Resource: "*"
      # Policy:  [APIGateway Lambda Invocation Policy]
      - PolicyName: APIGatewayLambdaInvocationPolicy
        PolicyDocument:
          Version: "2012-10-17"
          # Statement:  []
          Statement:
          - Effect: Allow
            Action:
            - lambda:InvokeFunction
            Resource: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaAppId}-*
            Principal:
              Service: apigateway.amazonaws.com
  • secondabhi_aws EXPERT
    il y a 9 mois

    Can you edit your template and add snippet from starting please here. It seems like resources and parameters sections are missing, this would help us to find the issue overall.

Sujets
Sans serveurCalculSécurité, identité et conformitéWeb et mobile front-endRéseaux et diffusion de contenuGestion et gouvernance
Balises
AWS LambdaGestion des identités et des accès AWSPasserelle API AmazonAWS CloudFormation
Langue
English
Nafiu
demandé il y a 9 mois400 vues
1 réponse
4
Réponse acceptée

Hi,

Based on your template, it seems you are trying to add resource policy to lambda function. You should be doing something like this:

   rLambdaInvokePermission:
       Type: 'AWS::Lambda::Permission'
       Properties:
                 FunctionName: <lambda_function_name>
                 Action: 'lambda:InvokeFunction'
                Principal: apigateway.amazonaws.com
                SourceArn: <APIARN>

Identity based policy document shouldn't contain principal. Resource based policy should have principal in it but identity based policy would error out if principal would be mentioned. You are trying to create resource based policy but formatted in identity based format.

Take look at AWS Resource Lambda Permissions.

Refer IAM Access Policies for more example/syntax for IAM policies. Also, take a look at this re:Post Knowledge Center Article, which exactly talks about this.

Hope it helps.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
répondu il y a 9 mois
profile pictureAWS
EXPERT
iBehr
vérifié il y a 8 mois
  • secondabhi_aws EXPERT
    il y a 9 mois

    @nafiu, It seems like you are trying to add lambda invoke permission for your your API, I just added template snippet. Please take a look and let me know if you have any questions.

  • Nafiu
    il y a 9 mois

    Thank you so much

  • secondabhi_aws EXPERT
    il y a 9 mois

    Keep it as separate resource. This block would not go inside any role.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents