问题
I am trying to invoke a lambda function from an iOS client. My code looks like this:
To get credentials, in appDelegate:
func application(_ application: UIApplication,
didFinishLaunchingWithOptions launchOptions:
[UIApplicationLaunchOptionsKey: Any]?) -> Bool {
// Uncomment to turn on logging, look for "Welcome to AWS!" to confirm success
AWSDDLog.add(AWSDDTTYLogger.sharedInstance)
AWSDDLog.sharedInstance.logLevel = .error
// Instantiate AWSMobileClient to get AWS user credentials
return AWSMobileClient.sharedInstance().interceptApplication(application, didFinishLaunchingWithOptions: launchOptions)
}
And to invoke on the viewController:
class ViewController: UIViewController {
let lambdaInvoker = AWSLambdaInvoker.default()
let jsonObject: [String: Any] = ["key1" : "value1",
"key2" : 2 ,
"key3" : [1, 2],
"isError" : false]
@IBAction func button(_ sender: Any) {
print("pressed")
lambdaInvoker.invokeFunction("myTest", jsonObject: jsonObject)
.continueWith(block: {(task:AWSTask<AnyObject>) -> Any? in
if( task.error != nil) {
print("Error: \(task.error!)")
return nil
}
// Handle response in task.result
if let JSONDictionary = task.result as? NSDictionary {
print("Result: \(JSONDictionary)")
print("resultKey: \(JSONDictionary["resultKey"])")
}
return nil
})
}
It throws this error:
... Message=User: arn:aws:sts::103314601078:assumed-role/Cognito_testpoolUnauth_Role/CognitoIdentityCredentials is not authorized to perform: lambda:InvokeFunction on resource ...
I also have this role set up:
{
"roleName": "myRoleTest",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1464440182000",
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
}
]
}
I know I need to add permissions for that resource to invoke the function, but I can't find where or how to do it! I'd appreciate any help...
回答1:
Ok, I don't know if this will be useful to anyone but I solved the issue. It turns out that to use the AWS SDK properly first you need to create an identity pool. I did all that, as you can see, and added the pool id and region to the configuration file. What I missed is that you also need to add permissions to the identity pool to use the lambda services.
So, once the identity pool is created you will have two new roles, one auth and one unauth. You should go to the IAM console, roles, locate the role in question (in my case unauth) and modify the policy to something like this:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource":[
"*"
]
},
{
"Effect":"Allow",
"Action":[
"lambda:invokefunction"
],
"Resource":[
"arn:aws:lambda:us-east-1:account-id:function:yourFunctionName"
]
}
]
}
After this, your resource should be able to invoke the lambda function.
If this is not the best way please point it out!
EDIT:
There is actually a managed policy called AWS Lambda Role that will let you invoke with no problems.
来源:https://stackoverflow.com/questions/52214407/cognitoidentitycredentials-is-not-authorized-to-perform-lambdainvokefunction-o