编程语言
首页 > 编程语言> > javascript – AWS:ssm:GetParameters AccessDeniedException

javascript – AWS:ssm:GetParameters AccessDeniedException

作者:互联网

我试图在js处理程序中获取ssm参数,如下所示:

module.exports.post = (event, context, callback) => {

  var params = {
  Name: 'myParameter',  
  WithDecryption: true || false
};

ssm.getParameter(params, function(err, data) {
  if (err)   console.log(err, err.stack);   
  else       console.log(data);        
});


};

我将以下权限角色添加到我的serverless.yml文件中

iamRoleStatements:
  - Effect: Allow
    Action:
      - ssm:GetParameters
      - ssm:GetParameter
      - ssm:DescribeParameters
      - kms:Encrypt
      - kms:Decrypt
    Resource: "*"

使用CLI我可以成功执行aws ssm get-parameter –names myParameter

但是当我调用该函数时,我在cloudWatch中收到以下错误

AccessDeniedException: User: myUser is not authorized to perform:
ssm:GetParameter on resource: myResource/myParameter

我试图使用getParameters函数,获取确切的名称资源但仍然是相同的错误消息.

任何帮助将非常感激.

解决方法:

刚创建了一个无服务器项目,它按预期工作.

权限在serverless.yml中设置,仅包含执行代码所需的授权.

serverless.yml

service: poc-lambda-ssm

provider:
  name: aws
  runtime: nodejs8.10
  variableSyntax: "\\${((?!AWS)[ ~:a-zA-Z0-9._'\",\\-\\/\\(\\)]+?)}"
  iamRoleStatements:
  - Effect: Allow
    Action:
      - ssm:GetParameter
    Resource:
      - 'Fn::Join':
        - ':'
        - - 'arn:aws:ssm'
          - Ref: 'AWS::Region'
          - Ref: 'AWS::AccountId'
          - 'parameter/my-secure-param'
  - Effect: Allow
    Action:
      - kms:Decrypt
    Resource:
      - 'Fn::Join':
        - ':'
        - - 'arn:aws:kms'
          - Ref: 'AWS::Region'
          - Ref: 'AWS::AccountId'
          - 'key/alias/aws/ssm'

functions:
  hello_ssm:
    handler: handler.hello_ssm

handler.js

'use strict';

const AWS = require("aws-sdk")

AWS.config = {
    region:"us-east-1"
};

const ssm = new AWS.SSM({apiVersion: '2014-11-06'});

module.exports.hello_ssm = function(event, context, callback) {
  var params = {
    Name: 'my-secure-param', 
    WithDecryption: true 
  };

  ssm.getParameter(params, function(err, data) {
      if (err) callback(err);
      else callback(null,"my secure param is: "+data.Parameter.Value);          
  });
};

并在AWS System Manager中使用类型SecureString创建了一个名为my-secure-param的参数.

您也可以查看我的PoC Lambda SSM项目.在这个项目中,我使用无服务器开发lambda,它通过使用invoke local -f hello_ssm在本地调用.

标签:javascript,node-js,amazon-web-services,amazon-iam,serverless
来源: https://codeday.me/bug/20190705/1389819.html