1

问题

如何将带有 lambda 调用的假定角色附加到 API Gateway API 或所有方法?

Create an API Gateway API for AWS Lambda Functions告诉附加一个 IAM 策略来调用 Lambda:

这意味着,您至少必须将以下 IAM 策略附加到 IAM 角色,以便 API Gateway 代入该策略。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "*"
        }
    ]
}

API Gateway 可承担角色是具有以下可信关系的 IAM 角色:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

研究

看起来lambda_permission可以附加每个方法,但不确定是否有一种方法可以调用任何方法“*”。

更新

Api Gateway 无法调用 Lambda 函数告诉每个方法/函数从 UI 附加的方法。

在此处输入图像描述

在此处输入图像描述

4

2 回答 2

0 
resource "aws_api_gateway_rest_api" "api_gw" {
      name = "your-api-gw-name"
      description = "your api gateway description"
}

data "aws_caller_identity" "current" {}

resource "aws_lambda_permission" "lambda_permission" {
  statement_id  = "AllowExecutionFromAPIGateway"
  action        = "lambda:InvokeFunction"

  #your lambda function ARN
  function_name = "arn:aws:lambda:${var.aws_region}:${data.aws_caller_identity.current.account_id}:function:lambda-function-name"   
  principal     = "apigateway.amazonaws.com"
  source_arn = "arn:aws:execute-api:${var.aws_region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.api_gw.id}/*/POST/"
}

注意:-在您的variable.tf文件中使用您的区域值声明aws_region变量。

于 2018-08-21T13:02:26.263 回答
0

为 API Gateway REST API 指定 Lambda 权限,将 source_arn 设置为 API 的 execution_arn 应该执行的操作。

resource "aws_lambda_permission" "apigw" {
  statement_id  = "AllowAPIGatewayInvoke"
  action        = "lambda:InvokeFunction"
  function_name = "${aws_lambda_function.example.arn}"
  principal     = "apigateway.amazonaws.com"

  #--------------------------------------------------------------------------------
  # Per deployment
  #--------------------------------------------------------------------------------
  # The /*/*  grants access from any method on any resource within the deployment.
  # source_arn = "${aws_api_gateway_deployment.test.execution_arn}/*/*"

  #--------------------------------------------------------------------------------
  # Per API
  #--------------------------------------------------------------------------------
  # The /*/*/* part allows invocation from any stage, method and resource path
  # within API Gateway REST API.
  source_arn    = "${aws_api_gateway_rest_api.example.execution_arn}/*/*/*"
}
于 2018-08-13T02:49:01.197 回答