鉴于Cloudformation目前不支持ALB Lambda集成,我正在尝试编写一个简单的脚本来创建目标组,将lambda注册到目标组,然后将侦听器规则指向该目标组.
当我通过用户界面执行此操作时,这会起作用,但是我将lambda目标注册到目标组的尝试失败(在python脚本和cli中):
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the RegisterTargets operation: elasticloadbalancing principal does not have permission to invoke <LAMBDA ARN> from target group <TARGET GROUP ARN>
下面是执行此操作的python脚本:
import boto3
import os
environment = os.environ['ENV']
cloudformation = boto3.resource('cloudformation')
elb = boto3.client('elbv2')
stack = cloudformation.Stack('boomerang')
output = [x for x in stack.outputs if x['ExportName'] == 'boomerang-beacon-lambda'][0]
beacon_arn = output['OutputValue']
response = elb.create_target_group(
TargetType='lambda',
Name='public-%s-boomerang-beacon' % environment
)
target_group_arn = response['TargetGroups'][0]['TargetGroupArn']
elb.register_targets(
TargetGroupArn=target_group_arn,
Targets=[
{
'Id': beacon_arn
},
]
)
谢谢
最佳答案 您必须创建添加lambda函数权限,以允许elasticloadbalancing委托人调用您的lambda函数.
使用CloudFormation,您可以添加以下资源以使其工作.
LambdaFunctionPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt LambdaTargetFunction.Arn
Principal: elasticloadbalancing.amazonaws.com
SourceArn: !Ref TargetGroup
有关Lambda Add Permission功能的更多信息,请访问:https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html