鉴于Cloudformation目前不支持ALB Lambda集成,我正在尝试编写一个简单的脚本来创建目标组,将lambda注册到目标组,然后将侦听器规则指向该目标组.

当我通过用户界面执行此操作时,这会起作用,但是我将lambda目标注册到目标组的尝试失败(在python脚本和cli中)：

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the RegisterTargets operation: elasticloadbalancing principal does not have permission to invoke <LAMBDA ARN> from target group <TARGET GROUP ARN>

下面是执行此操作的python脚本：

import boto3
import os

environment = os.environ['ENV']
cloudformation = boto3.resource('cloudformation')
elb = boto3.client('elbv2')

stack = cloudformation.Stack('boomerang')

output = [x for x in stack.outputs if x['ExportName'] == 'boomerang-beacon-lambda'][0]
beacon_arn = output['OutputValue']

response = elb.create_target_group(
  TargetType='lambda',
  Name='public-%s-boomerang-beacon' % environment
)

target_group_arn = response['TargetGroups'][0]['TargetGroupArn']

elb.register_targets(
  TargetGroupArn=target_group_arn,
  Targets=[
    {
      'Id': beacon_arn
    },
  ]
)

谢谢

最佳答案 您必须创建添加lambda函数权限,以允许elasticloadbalancing委托人调用您的lambda函数.

使用CloudFormation,您可以添加以下资源以使其工作.

  LambdaFunctionPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt LambdaTargetFunction.Arn
      Principal: elasticloadbalancing.amazonaws.com
      SourceArn: !Ref TargetGroup

有关Lambda Add Permission功能的更多信息,请访问：https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html