我有一个非常简单的 AWS Lambda 函数 - 只是列出我所有的 CloudWatch 事件:
import boto3
def lambda_handler(event, context):
client = boto3.client("events")
return client.list_rules()
然而,当我尝试运行它(使用空的测试事件:{}
)时,我遇到了以下权限异常:
An error occurred (AccessDeniedException) when calling the ListRules operation:
User: arn:aws:sts::123321123321:assumed-role/lambda+basicEvents/lambdaName
is not authorized to perform: events:ListRules
on resource: arn:aws:events:eu-west-1:123321123321:rule/*
我已将此策略附加到 Lambda 执行角色上(我可以在 Lambda 的权限选项卡中看到列出的操作):
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BasicCloudWatchEventsManager",
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:EnableRule",
"events:PutRule",
"events:ListRules",
"events:DisableRule"
],
"Resource": "arn:aws:events:*:*:rule/[*/]*"
}
]
},
"name": "BasicCloudWatchEventsManager",
"id": "SOME7LONG7ID",
"type": "managed",
"arn": "arn:aws:iam::123321123321:policy/BasicCloudWatchEventsManager"
}
我使用提供的可视化编辑器进行策略构建,仅手动更改了sid
。
有什么线索可能丢失了吗?
被拒绝 Implicitly denied (no matching statements)
。 - Faboor