Amazon SAM 连接器参考

本节包含Amazon Serverless Application Model (Amazon SAM) 连接器资源类型的参考信息。有关连接器的简介，请参阅使用 Amazon SAM 连接器管理资源权限。

连接器支持的源资源和目的地资源类型

AWS::Serverless::Connector 资源类型支持源资源资源和目的地资源之间一定数量的连接。在 Amazon SAM 模板中配置连接器时，请使用下表来参考支持的连接以及需要为每种源资源和目的地资源类型定义的属性。有关在模板中配置连接器的更多信息，请参阅AWS::Serverless::Connector。

对于源资源和目标资源，如果在同一个模板中定义，则使用 Id 属性。或者，可以添加 Qualifier 以缩小您定义的资源范围。当资源不在同一个模板中时，请使用受支持属性的组合。

要申请新的连接，请在serverless-application-model Amazon GitHub存储库中提交新问题。

源类型	目的地类型	权限	源属性	目的地属性
`AWS::ApiGateway::RestApi`	`AWS::Lambda::Function`	`Write`	`Id` 或 `Qualifier`、`ResourceId` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::ApiGateway::RestApi`	`AWS::Serverless::Function`	`Write`	`Id` 或 `Qualifier`、`ResourceId` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::ApiGatewayV2::Api`	`AWS::Lambda::Function`	`Write`	`Id` 或 `Qualifier`、`ResourceId` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::ApiGatewayV2::Api`	`AWS::Serverless::Function`	`Write`	`Id` 或 `Qualifier`、`ResourceId` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::AppSync::DataSource`	`AWS::DynamoDB::Table`	`Read`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::AppSync::DataSource`	`AWS::DynamoDB::Table`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::AppSync::DataSource`	`AWS::Events::EventBus`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::AppSync::DataSource`	`AWS::Lambda::Function`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::AppSync::DataSource`	`AWS::Serverless::Function`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::AppSync::DataSource`	`AWS::Serverless::SimpleTable`	`Read`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::AppSync::DataSource`	`AWS::Serverless::SimpleTable`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::AppSync::GraphQLApi`	`AWS::Lambda::Function`	`Write`	`Id` 或 `ResourceId` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::AppSync::GraphQLApi`	`AWS::Serverless::Function`	`Write`	`Id` 或 `ResourceId` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::DynamoDB::Table`	`AWS::Lambda::Function`	`Read`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `RoleName` 和 `Type`
`AWS::DynamoDB::Table`	`AWS::Serverless::Function`	`Read`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `RoleName` 和 `Type`
`AWS::Events::Rule`	`AWS::Events::EventBus`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Events::Rule`	`AWS::Lambda::Function`	`Write`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Events::Rule`	`AWS::Serverless::Function`	`Write`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Events::Rule`	`AWS::Serverless::StateMachine`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Events::Rule`	`AWS::SNS::Topic`	`Write`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Events::Rule`	`AWS::SQS::Queue`	`Write`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `Arn`、`QueueUrl` 和 `Type`
`AWS::Events::Rule`	`AWS::StepFunctions::StateMachine`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Lambda::Function`	`AWS::DynamoDB::Table`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Lambda::Function`	`AWS::Events::EventBus`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Lambda::Function`	`AWS::Lambda::Function`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Lambda::Function`	`AWS::Location::PlaceIndex`	`Read`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Lambda::Function`	`AWS::S3::Bucket`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Lambda::Function`	`AWS::Serverless::Function`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Lambda::Function`	`AWS::Serverless::SimpleTable`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Lambda::Function`	`AWS::Serverless::StateMachine`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn`、`Name` 和 `Type`
`AWS::Lambda::Function`	`AWS::SNS::Topic`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Lambda::Function`	`AWS::SQS::Queue`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Lambda::Function`	`AWS::StepFunctions::StateMachine`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn`、`Name` 和 `Type`
`AWS::S3::Bucket`	`AWS::Lambda::Function`	`Write`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::S3::Bucket`	`AWS::Serverless::Function`	`Write`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::Api`	`AWS::Lambda::Function`	`Write`	`Id` 或 `Qualifier`、`ResourceId` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::Api`	`AWS::Serverless::Function`	`Write`	`Id` 或 `Qualifier`、`ResourceId` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::Function`	`AWS::DynamoDB::Table`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::Function`	`AWS::Events::EventBus`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::Function`	`AWS::Lambda::Function`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::Function`	`AWS::S3::Bucket`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::Function`	`AWS::Serverless::Function`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::Function`	`AWS::Serverless::SimpleTable`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::Function`	`AWS::Serverless::StateMachine`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn`、`Name` 和 `Type`
`AWS::Serverless::Function`	`AWS::SNS::Topic`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::Function`	`AWS::SQS::Queue`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::Function`	`AWS::StepFunctions::StateMachine`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn`、`Name` 和 `Type`
`AWS::Serverless::HttpApi`	`AWS::Lambda::Function`	`Write`	`Id` 或 `Qualifier`、`ResourceId` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::HttpApi`	`AWS::Serverless::Function`	`Write`	`Id` 或 `Qualifier`、`ResourceId` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::SimpleTable`	`AWS::Lambda::Function`	`Read`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `RoleName` 和 `Type`
`AWS::Serverless::SimpleTable`	`AWS::Serverless::Function`	`Read`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `RoleName` 和 `Type`
`AWS::Serverless::StateMachine`	`AWS::DynamoDB::Table`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::StateMachine`	`AWS::Events::EventBus`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::StateMachine`	`AWS::Lambda::Function`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::StateMachine`	`AWS::S3::Bucket`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::StateMachine`	`AWS::Serverless::Function`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::StateMachine`	`AWS::Serverless::SimpleTable`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::StateMachine`	`AWS::Serverless::StateMachine`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn`、`Name` 和 `Type`
`AWS::Serverless::StateMachine`	`AWS::SNS::Topic`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::StateMachine`	`AWS::SQS::Queue`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::Serverless::StateMachine`	`AWS::StepFunctions::StateMachine`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn`、`Name` 和 `Type`
`AWS::SNS::Topic`	`AWS::Lambda::Function`	`Write`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::SNS::Topic`	`AWS::Serverless::Function`	`Write`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::SNS::Topic`	`AWS::SQS::Queue`	`Write`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `Arn`、`QueueUrl` 和 `Type`
`AWS::SQS::Queue`	`AWS::Lambda::Function`	`Read`, `Write`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `RoleName` 和 `Type`
`AWS::SQS::Queue`	`AWS::Serverless::Function`	`Read`, `Write`	`Id` 或 `Arn` 和 `Type`	`Id` 或 `RoleName` 和 `Type`
`AWS::StepFunctions::StateMachine`	`AWS::DynamoDB::Table`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::StepFunctions::StateMachine`	`AWS::Events::EventBus`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::StepFunctions::StateMachine`	`AWS::Lambda::Function`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::StepFunctions::StateMachine`	`AWS::S3::Bucket`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::StepFunctions::StateMachine`	`AWS::Serverless::Function`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::StepFunctions::StateMachine`	`AWS::Serverless::SimpleTable`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::StepFunctions::StateMachine`	`AWS::Serverless::StateMachine`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn`、`Name` 和 `Type`
`AWS::StepFunctions::StateMachine`	`AWS::SNS::Topic`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::StepFunctions::StateMachine`	`AWS::SQS::Queue`	`Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn` 和 `Type`
`AWS::StepFunctions::StateMachine`	`AWS::StepFunctions::StateMachine`	`Read`, `Write`	`Id` 或 `RoleName` 和 `Type`	`Id` 或 `Arn`、`Name` 和 `Type`

连接器创建的 IAM 策略

本节记录了使用连接器时 Amazon SAM 创建的 Amazon Identity and Access Management（IAM）策略。

AWS::DynamoDB::Table 到 AWS::Lambda::Function

策略类型

客户管理型策略附加在 AWS::Lambda::Function 角色上。

访问类别

Read


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:DescribeStream",
        "dynamodb:GetRecords",
        "dynamodb:GetShardIterator",
        "dynamodb:ListStreams"
      ],
      "Resource": [
        "%{Source.Arn}/stream/*"
      ]
    }
  ]
}

AWS::Events::Rule 到 AWS::SNS::Topic

策略类型

AWS::SNS::TopicPolicy 附加在 AWS::SNS::Topic 上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Resource": "%{Destination.Arn}",
      "Action": "sns:Publish",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "%{Source.Arn}"
        }
      }
    }
  ]
}

AWS::Events::Rule 到 AWS::Events::EventBus

策略类型

客户管理型策略附加在 AWS::Events::Rule 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "events:PutEvents"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::Events::Rule 到 AWS::StepFunctions::StateMachine

策略类型

客户管理型策略附加在 AWS::Events::Rule 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:StartExecution"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::Events::Rule 到 AWS::Lambda::Function

策略类型

AWS::Lambda::Permission 附加在 AWS::Lambda::Function 上。

访问类别

Write


{
  "Action": "lambda:InvokeFunction",
  "Principal": "events.amazonaws.com",
  "SourceArn": "%{Source.Arn}"
}

AWS::Events::Rule 到 AWS::SQS::Queue

策略类型

AWS::SQS::QueuePolicy 附加在 AWS::SQS::Queue 上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Resource": "%{Destination.Arn}",
      "Action": "sqs:SendMessage",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "%{Source.Arn}"
        }
      }
    }
  ]
}

AWS::Lambda::Function 到 AWS::Lambda::Function

策略类型

客户管理型策略附加在 AWS::Lambda::Function 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeAsync",
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::Lambda::Function 到 AWS::S3::Bucket

策略类型

客户管理型策略附加在 AWS::Lambda::Function 角色上。

访问类别

Read


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:GetObjectTorrent",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectVersionTorrent",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/*"
      ]
    }
  ]
}

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutObject",
        "s3:PutObjectLegalHold",
        "s3:PutObjectRetention",
        "s3:RestoreObject"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/*"
      ]
    }
  ]
}

AWS::Lambda::Function 到 AWS::DynamoDB::Table

策略类型

客户管理型策略附加在 AWS::Lambda::Function 角色上。

访问类别

Read


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:Query",
        "dynamodb:Scan",
        "dynamodb:BatchGetItem",
        "dynamodb:ConditionCheckItem",
        "dynamodb:PartiQLSelect"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem",
        "dynamodb:BatchWriteItem",
        "dynamodb:PartiQLDelete",
        "dynamodb:PartiQLInsert",
        "dynamodb:PartiQLUpdate"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}

AWS::Lambda::Function 到 AWS::SQS::Queue

策略类型

客户管理型策略附加在 AWS::Lambda::Function 角色上。

访问类别

Read


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:GetQueueAttributes"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:DeleteMessage",
        "sqs:SendMessage",
        "sqs:ChangeMessageVisibility",
        "sqs:PurgeQueue"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::Lambda::Function 到 AWS::SNS::Topic

策略类型

客户管理型策略附加在 AWS::Lambda::Function 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sns:Publish"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::Lambda::Function 到 AWS::StepFunctions::StateMachine

策略类型

客户管理型策略附加在 AWS::Lambda::Function 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:StartExecution",
        "states:StartSyncExecution"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "states:StopExecution"
      ],
      "Resource": [
        "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
      ]
    }
  ]
}

Read


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeStateMachine",
        "states:ListExecutions"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeExecution",
        "states:DescribeStateMachineForExecution",
        "states:GetExecutionHistory"
      ],
      "Resource": [
        "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
      ]
    }
  ]
}

AWS::Lambda::Function 到 AWS::Events::EventBus

策略类型

客户管理型策略附加在 AWS::Lambda::Function 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "events:PutEvents"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::Lambda::Function 到 AWS::Location::PlaceIndex

策略类型

客户管理型策略附加在 AWS::Lambda::Function 角色上。

访问类别

Read


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "geo:DescribePlaceIndex",
        "geo:GetPlace",
        "geo:SearchPlaceIndexForPosition",
        "geo:SearchPlaceIndexForSuggestions",
        "geo:SearchPlaceIndexForText"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::ApiGatewayV2::Api 到 AWS::Lambda::Function

策略类型

AWS::Lambda::Permission 附加在 AWS::Lambda::Function 上。

访问类别

Write


{
  "Action": "lambda:InvokeFunction",
  "Principal": "apigateway.amazonaws.com",
  "SourceArn": "arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:%{Source.ResourceId}/%{Source.Qualifier}"
}

AWS::ApiGateway::RestApi 到 AWS::Lambda::Function

策略类型

AWS::Lambda::Permission 附加在 AWS::Lambda::Function 上。

访问类别

Write


{
  "Action": "lambda:InvokeFunction",
  "Principal": "apigateway.amazonaws.com",
  "SourceArn": "arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:%{Source.ResourceId}/%{Source.Qualifier}"
}

AWS::SNS::Topic 到 AWS::SQS::Queue

策略类型

AWS::SQS::QueuePolicy 附加在 AWS::SQS::Queue 上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Resource": "%{Destination.Arn}",
      "Action": "sqs:SendMessage",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "%{Source.Arn}"
        }
      }
    }
  ]
}

AWS::SNS::Topic 到 AWS::Lambda::Function

策略类型

AWS::Lambda::Permission 附加在 AWS::Lambda::Function 上。

访问类别

Write


{
  "Action": "lambda:InvokeFunction",
  "Principal": "sns.amazonaws.com",
  "SourceArn": "%{Source.Arn}"
}

AWS::SQS::Queue 到 AWS::Lambda::Function

策略类型

客户管理型策略附加在 AWS::Lambda::Function 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:DeleteMessage"
      ],
      "Resource": [
        "%{Source.Arn}"
      ]
    }
  ]
}

Read


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:GetQueueAttributes"
      ],
      "Resource": [
        "%{Source.Arn}"
      ]
    }
  ]
}

AWS::S3::Bucket 到 AWS::Lambda::Function

策略类型

AWS::Lambda::Permission 附加在 AWS::Lambda::Function 上。

访问类别

Write


{
  "Action": "lambda:InvokeFunction",
  "Principal": "s3.amazonaws.com",
  "SourceArn": "%{Source.Arn}",
  "SourceAccount": "${AWS::AccountId}"
}

AWS::StepFunctions::StateMachine 到 AWS::Lambda::Function

策略类型

客户管理型策略附加在 AWS::StepFunctions::StateMachine 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeAsync",
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::StepFunctions::StateMachine 到 AWS::SNS::Topic

策略类型

客户管理型策略附加在 AWS::StepFunctions::StateMachine 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sns:Publish"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::StepFunctions::StateMachine 到 AWS::SQS::Queue

策略类型

客户管理型策略附加在 AWS::StepFunctions::StateMachine 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:SendMessage"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::StepFunctions::StateMachine 到 AWS::S3::Bucket

策略类型

客户管理型策略附加在 AWS::StepFunctions::StateMachine 角色上。

访问类别

Read


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:GetObjectTorrent",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectVersionTorrent",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/*"
      ]
    }
  ]
}

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutObject",
        "s3:PutObjectLegalHold",
        "s3:PutObjectRetention",
        "s3:RestoreObject"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/*"
      ]
    }
  ]
}

AWS::StepFunctions::StateMachine 到 AWS::DynamoDB::Table

策略类型

客户管理型策略附加在 AWS::StepFunctions::StateMachine 角色上。

访问类别

Read


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:Query",
        "dynamodb:Scan",
        "dynamodb:BatchGetItem",
        "dynamodb:ConditionCheckItem",
        "dynamodb:PartiQLSelect"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem",
        "dynamodb:BatchWriteItem",
        "dynamodb:PartiQLDelete",
        "dynamodb:PartiQLInsert",
        "dynamodb:PartiQLUpdate"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}

AWS::StepFunctions::StateMachine 到 AWS::StepFunctions::StateMachine

策略类型

客户管理型策略附加在 AWS::StepFunctions::StateMachine 角色上。

访问类别

Read


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeExecution"
      ],
      "Resource": [
        "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "events:DescribeRule"
      ],
      "Resource": [
        "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
      ]
    }
  ]
}

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:StartExecution"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "states:StopExecution"
      ],
      "Resource": [
        "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "events:PutTargets",
        "events:PutRule"
      ],
      "Resource": [
        "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
      ]
    }
  ]
}

AWS::StepFunctions::StateMachine 到 AWS::Events::EventBus

策略类型

客户管理型策略附加在 AWS::StepFunctions::StateMachine 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "events:PutEvents"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::AppSync::DataSource 到 AWS::DynamoDB::Table

策略类型

客户管理型策略附加在 AWS::AppSync::DataSource 角色上。

访问类别

Read


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:Query",
        "dynamodb:Scan",
        "dynamodb:BatchGetItem",
        "dynamodb:ConditionCheckItem",
        "dynamodb:PartiQLSelect"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem",
        "dynamodb:BatchWriteItem",
        "dynamodb:PartiQLDelete",
        "dynamodb:PartiQLInsert",
        "dynamodb:PartiQLUpdate"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}

AWS::AppSync::DataSource 到 AWS::Lambda::Function

策略类型

客户管理型策略附加在 AWS::AppSync::DataSource 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeAsync",
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}:*"
      ]
    }
  ]
}

AWS::AppSync::DataSource 到 AWS::Events::EventBus

策略类型

客户管理型策略附加在 AWS::AppSync::DataSource 角色上。

访问类别

Write


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "events:PutEvents"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

AWS::AppSync::GraphQLApi 到 AWS::Lambda::Function

策略类型

AWS::Lambda::Permission 附加在 AWS::Lambda::Function 上。

访问类别

Write


{
  "Action": "lambda:InvokeFunction",
  "Principal": "appsync.amazonaws.com",
  "SourceArn": "arn:${AWS::Partition}:appsync:${AWS::Region}:${AWS::AccountId}:apis/%{Source.ResourceId}"
}

Javascript 在您的浏览器中被禁用或不可用。

要使用 Amazon Web Services 文档，必须启用 Javascript。请参阅浏览器的帮助页面以了解相关说明。

故障排除

安装 Docker