使用Lambda将自定义CIDR添加到入口安全组,并且不使用默认VPC
0
【以下的问题经过翻译处理】 基本上,我正在尝试通过lambda函数向安全组添加自定义cidr ip。我已经给予所有适当的权限(据我所知)。我甚至尝试将vpc(非默认的vpc)附加到lambda函数上来访问安全组,但错误是相同的,所以我将其从lambda函数中删除了。
但是我收到“An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user"
以下是策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:us-west-2:xxxx:log-group:xxx:log-stream:*"
}
]
}
Lambda 函数
#!/usr/bin/python3.9
import boto3
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
response = ec2.authorize_security_group_ingress(
GroupId='sg-xxxxxxx'
IpPermissions=[
{
'FromPort': 443,
'IpProtocol': 'tcp',
'IpRanges': [
{
'CidrIp': '1x.1x.x.1x/32',
'Description': 'adding test cidr using lambda'
},
],
'ToPort': 443
}
],
DryRun=True
)
return response
有人能为我指出正确的方向吗?VPC 是非默认的。我只需要在非默认 vpc 中的现有安全组中添加入站规则。
错误日志
Test Event Name
snstest
Response
{
"errorMessage": "An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user",
"errorType": "ClientError",
"requestId": "7de9dce1-f2f9-4609-897e-b75ef751544e",
"stackTrace": [
" File \"/var/task/lambda_function.py\", line 21, in lambda_handler\n response = ec2.authorize_security_group_ingress(\n",
" File \"/var/runtime/botocore/client.py\", line 391, in _api_call\n return self._make_api_call(operation_name, kwargs)\n",
" File \"/var/runtime/botocore/client.py\", line 719, in _make_api_call\n raise error_class(parsed_response, operation_name)\n"
]
}
Function Logs
START RequestId: 7de9dce1-f2f9-4609-897e-b75ef751544e Version: $LATEST
[ERROR] ClientError: An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 21, in lambda_handler
response = ec2.authorize_security_group_ingress(
File "/var/runtime/botocore/client.py", line 391, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 719, in _make_api_call
raise error_class(parsed_response, operation_name)END RequestId: 7de9dce1-f2f9-4609-897e-b75ef751544e
REPORT RequestId: 7de9dce1-f2f9-4609-897e-b75ef751544e Duration: 213.81 ms Billed Duration: 214 ms Memory Size: 128 MB Max Memory Used: 77 MB
Request ID
7de9dce1-f2f9-4609-897e-b75ef751544e
1 回答
- 最新
- 投票最多
- 评论最多
0
【以下的回答经过翻译处理】 这是一个语法错误,另外我添加了VPC到配置中,这对此目的并不是必需的。对于任何遇到相同问题的人(只想更新安全组与CIDR),下面是正确的函数和权限(函数并不完整,因为您可能也想删除旧规则):
Lambda函数:
#!/usr/bin/python3.9
import boto3
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
response = ec2.authorize_security_group_ingress(
DryRun=False,
GroupId='sg-0123456789',
IpPermissions=[
{
'FromPort': 443,
'IpProtocol': 'tcp',
'IpRanges': [
{
'CidrIp': '1x.2x.3x.4x/32',
'Description': 'Security group updated via lambda'
}
],
'ToPort': 443
}
]
)
return response
Lambda执行角色的IAM策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:ModifySecurityGroupRules",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress"
],
"Resource": "arn or all"
}
]
相关内容
AWS 官方已更新 7 个月前- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前