Scenario: I create 4 different lambda functions using docker images. Each function is created froma separate image. Each function contains different FAST API routes for a different service.
I create an API Gateway and invoke the 4 different lambda functions with proxy integration. For each, I create a resource and method ANY. All lambda functions are created in the same account, same vpc and same security group. I create another lambda function from a docker image. This function make call for different routes in the API gateway.
I create a resource policy for the API gateway:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-id:role/Lambda-5-Role"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:account-id:api-id/*"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:account-id:api-id/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"x.x.x.x",
"y.y.y.y"
]
}
}
}
]
}
The Lambda-5-Role contains:
AWSLambdaBasicExecutionRole, AWSLambdaVPCAccessExecutionRole, CreateNetworkInterface-policy permissions and the following permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:account-id:api-id/*"
}
]
}
When I test it, I got :
{
"Message": "User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:account-id:api-id/stage/method/route"
}
It is working well without resource policy. What is the mistake that I am doing ?
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744721042a4589912.html
评论列表(0条)