AWS Lambda
开发人员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

使用 AWS Lambda 控制台所需的权限

要利用 AWS Lambda 控制台提供的集成体验,用户通常必须具备比引用表中所述 API 特定权限更多的权限,具体取决于您希望用户能够执行的操作。有关 Lambda API 操作的更多信息,请参阅 Lambda API 权限:操作、资源和条件参考

例如,假定您允许您账户中的 IAM 用户具备创建 Lambda 函数来处理 Amazon S3 对象创建事件的权限。为允许该用户配置 Amazon S3 作为事件源,控制台下拉列表将显示您的存储桶列表。但是,只有在登录用户具有相关 Amazon S3 操作的权限时,控制台才能显示存储桶列表。

以下部分描述了不同集成点所需的额外权限。有关集成点的信息,请参阅 如何使用

如果您刚刚开始管理权限,我们建议您通过示例演练开始进行,在其中您可以创建 IAM 用户、授予用户增量许可,以及使用 AWS Lambda 控制台验证权限是否有效(请参阅 客户托管策略示例)。

注意

所有这些权限策略授予特定 AWS 服务调用 Lambda 函数的权限。配置此集成的用户必须有权调用 Lambda 函数。否则,用户无法设置配置。您可以将 AWSLambdaRole AWS 托管(预定义)权限策略附加到用户以提供这些权限。

Amazon API Gateway

当您在控制台中配置 API 终端节点时,控制台发出多个 API 网关 API 调用。这些调用需要 apigateway:* 操作的权限,如下所示:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ApiGatewayPermissions", "Effect": "Allow", "Action": [ "apigateway:*" ], "Resource": "*" }, { "Sid": "AddPermissionToFunctionPolicy", "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:RemovePermission", "lambda:GetPolicy" ], "Resource": "arn:aws:lambda:region:account-id:function:*" }, { "Sid": "ListEventSourcePerm", "Effect": "Allow", "Action": [ "lambda:ListEventSourceMappings" ], "Resource": "*" } ] }

Amazon CloudWatch Events

您可以计划什么时候调用 Lambda 函数。选择现有 CloudWatch Events 规则(或者创建新规则)之后,AWS Lambda 在调用您的 Lambda 函数的 CloudWatch 中创建新目标。要完成目标创建,您需要授予以下额外的权限:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EventPerms", "Effect": "Allow", "Action": [ "events:PutRule", "events:ListRules", "events:ListRuleNamesByTarget", "events:PutTargets", "events:RemoveTargets", "events:DescribeRule", "events:TestEventPattern", "events:ListTargetsByRule", "events:DeleteRule" ], "Resource": "arn:aws:events:region:account-id:*" }, { "Sid": "AddPermissionToFunctionPolicy", "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:RemovePermission", "lambda:GetPolicy" ], "Resource": "arn:aws:lambda:region:account-id:function:*" } ] }

Amazon CloudWatch Logs

您可以让 Amazon CloudWatch Logs 服务发布事件并调用 Lambda 函数。在您配置此服务作为事件源时,控制台列出您账户中的日志组。要完成此列表操作,您需要授予 logs:DescribeLogGroups 权限,如下所示:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchLogsPerms", "Effect": "Allow", "Action": [ "logs:FilterLogEvents", "logs:DescribeLogGroups", "logs:PutSubscriptionFilter", "logs:DescribeSubscriptionFilters", "logs:DeleteSubscriptionFilter", "logs:TestMetricFilter" ], "Resource": "arn:aws:logs:region:account-id:*" }, { "Sid": "AddPermissionToFunctionPolicy", "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:RemovePermission", "lambda:GetPolicy" ], "Resource": "arn:aws:lambda:region:account-id:function:*" }, { "Sid": "ListEventSourceMappingsPerms", "Effect": "Allow", "Action": [ "lambda:ListEventSourceMappings" ], "Resource": "*" } ] }

注意

管理订阅筛选器需要所显示的额外权限。

Amazon Cognito

控制台列出了您账户中的身份池。在选择某个池之后,您可以配置该池将 Cognito sync trigger 作为事件源类型。为此,您需要授予以下额外的权限:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CognitoPerms1", "Effect": "Allow", "Action": [ "cognito-identity:ListIdentityPools" ], "Resource": [ "arn:aws:cognito-identity:region:account-id:*" ] }, { "Sid": "CognitoPerms2", "Effect": "Allow", "Action": [ "cognito-sync:GetCognitoEvents", "cognito-sync:SetCognitoEvents" ], "Resource": [ "arn:aws:cognito-sync:region:account-id:*" ] }, { "Sid": "AddPermissionToFunctionPolicy", "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:RemovePermission", "lambda:GetPolicy" ], "Resource": "arn:aws:lambda:region:account-id:function:*" }, { "Sid": "ListEventSourcePerms", "Effect": "Allow", "Action": [ "lambda:ListEventSourceMappings" ], "Resource": "*" } ] }

Amazon DynamoDB

控制台列出了您账户中的所有表。在您选择某个表之后,控制台进行检查,以查看该表是否存在 DynamoDB 流。否则,它将创建流。如果您希望用户能够配置 DynamoDB 流作为 Lambda 函数的事件源,需要授予以下额外的权限:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DDBpermissions1", "Effect": "Allow", "Action": [ "dynamodb:DescribeStream", "dynamodb:DescribeTable", "dynamodb:UpdateTable" ], "Resource": "arn:aws:dynamodb:region:account-id:table/*" }, { "Sid": "DDBpermissions2", "Effect": "Allow", "Action": [ "dynamodb:ListStreams", "dynamodb:ListTables" ], "Resource": "*" }, { "Sid": "LambdaGetPolicyPerm", "Effect": "Allow", "Action": [ "lambda:GetPolicy" ], "Resource": "arn:aws:lambda:region:account-id:function:*" }, { "Sid": "LambdaEventSourcePerms", "Effect": "Allow", "Action": [ "lambda:CreateEventSourceMapping", "lambda:DeleteEventSourceMapping", "lambda:GetEventSourceMapping", "lambda:ListEventSourceMappings", "lambda:UpdateEventSourceMapping" ], "Resource": "*" } ] }

重要

对于从 DynamoDB 流进行读取的 Lambda 函数,与 Lambda 函数关联的执行角色必须具有正确的权限。因此,在您向执行角色授予权限之前,用户还必须具有相同的权限。您可以通过将 AWSLambdaDynamoDBExecutionRole 预定义策略先附加到用户,然后附加到执行角色,以此来授予这些权限。

Amazon Kinesis Streams

控制台列出了您账户中的 Kinesis 流。选择流之后,控制台在 AWS Lambda 中创建事件源映射。要使其运行,您需要授予以下额外的权限:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PermissionForDescribeStream", "Effect": "Allow", "Action": [ "kinesis:DescribeStream" ], "Resource": "arn:aws:kinesis:region:account-id:stream/*" }, { "Sid": "PermissionForListStreams", "Effect": "Allow", "Action": [ "kinesis:ListStreams" ], "Resource": "*" }, { "Sid": "PermissionForGetFunctionPolicy", "Effect": "Allow", "Action": [ "lambda:GetPolicy" ], "Resource": "arn:aws:lambda:region:account-id:function:*" }, { "Sid": "LambdaEventSourcePerms", "Effect": "Allow", "Action": [ "lambda:CreateEventSourceMapping", "lambda:DeleteEventSourceMapping", "lambda:GetEventSourceMapping", "lambda:ListEventSourceMappings", "lambda:UpdateEventSourceMapping" ], "Resource": "*" } ] }

Amazon S3

控制台填充 AWS 账户中的存储桶列表,并查找各存储桶的存储桶位置。配置 Amazon S3 作为事件源后,控制台会更新存储桶通知配置。要使其运行,您需要授予以下额外的权限:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3Permissions", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetBucketNotification", "s3:PutBucketNotification", "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "AddPermissionToFunctionPolicy", "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:RemovePermission" ], "Resource": "arn:aws:lambda:region:account-id:function:*" } ] }

Amazon SNS

控制台列出您账户中的 Amazon Simple Notification Service (Amazon SNS) 主题。在您选择主题之后,AWS Lambda 将您的 Lambda 函数订阅到该 Amazon SNS 主题。要使其运行,您需要授予以下额外的权限:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SNSPerms", "Effect": "Allow", "Action": [ "sns:ListSubscriptions", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sns:Subscribe", "sns:Unsubscribe" ], "Resource": "arn:aws:sns:region:account-id:*" }, { "Sid": "AddPermissionToFunctionPolicy", "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:RemovePermission", "lambda:GetPolicy" ], "Resource": "arn:aws:lambda:region:account-id:function:*" }, { "Sid": "LambdaListESMappingsPerms", "Effect": "Allow", "Action": [ "lambda:ListEventSourceMappings" ], "Resource": "*" } ] }

AWS IoT

控制台列出所有 AWS IoT 规则。选择某个规则之后,控制台在用户界面中填充与该规则关联的剩余信息。如果您选择现有规则,控制台使用信息进行更新,以将事件发送到 AWS Lambda。您还可以创建新规则。要进行这些操作,用户必须拥有以下额外的权限:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IoTperms", "Effect": "Allow", "Action": [ "iot:GetTopicRule", "iot:CreateTopicRule", "iot:ReplaceTopicRule" ], "Resource": "arn:aws:iot:region:account-id:*" }, { "Sid": "IoTlistTopicRulePerms", "Effect": "Allow", "Action": [ "iot:ListTopicRules" ], "Resource": "*" }, { "Sid": "LambdaPerms", "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:RemovePermission", "lambda:GetPolicy" ], "Resource": "arn:aws:lambda:region:account-id:function:*" } ] }