1 回答
- 最新
- 投票最多
- 评论最多
0
The lambda function itself doesn't directly interact with the OpenSearch domain; rather, it runs within an execution role that grants it permissions to perform certain actions. Therefore, you need to grant permissions to the execution role associated with your Lambda function.
- Ensure that the execution role associated with your Lambda function has the necessary permissions to access the OpenSearch domain. You can achieve this by adding appropriate permissions to the execution role.
const role = new iam.Role(this, 'LambdaExecutionRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
// Attach permissions to the execution role
this.domain.grantReadWrite(role);
- Modify your Lambda function to assume this role when executing. You can achieve this by specifying the
role
property when creating the Lambda function.
this.domainLambda = new nodejs.NodejsFunction(this, `${domainId}-domain`, {
// other properties
role: role,
});
By doing this, you're ensuring that your Lambda function assumes a role with the necessary permissions to access the OpenSearch domain, rather than directly granting permissions to the Lambda function itself.
Remember to replace // other properties
with the appropriate properties you've been using for your Lambda function.
已回答 2 个月前
Hey, thanks for the answer. When using
this.domain.grantReadWrite(this.domainLambda)
it adds the following statement to the lambda execution role:{"Action": ["es:ESHttpDelete", "es:ESHttpGet", "es:ESHttpHead", "es:ESHttpPatch", "es:ESHttpPost", "es:ESHttpPut"], "Resource": ["arn:aws:es:us-east-1:123:domain/search/*", "arn:aws:es:us-east-1:123:domain/search/*/*"], "Effect": "Allow"}
. So I guess it already sets the execution role properly.