I have a CDK app in which I create a Sagemaker endpoint using CfnEndpoint
. When I omit the name parameter, CDK generates me a unique one which is great.
我有一个CDK应用程序,其中我使用CfnEndpoint创建了一个Sagemaker端点。当我省略name参数时,CDK会为我生成一个非常棒的唯一参数。
const endpoint = new CfnEndpoint(this, "Endpoint", {
endpointConfigName: endpointConfig.attrEndpointConfigName,
});
The problem comes when I want to grant something permissions to invoke the endpoint in another stack. I want to grant a lambda function permissions to invoke just that endpoint and not others, so I would usually do something like:
当我想授予某些权限来调用另一个堆栈中的端点时,问题就出现了。我想授予一个lambda函数只调用该端点而不调用其他端点的权限,所以我通常会这样做:
myFunction.addToRolePolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: ['sagemaker:InvokeEndpoint'],
resources: [Stack.of(this).formatArn({
service: 'sagemaker',
resource: 'endpoint',
resourceName: endpoint.attrEndpointName, // <- reference the endpoint name from another stack
})],
}));
The problem is that when I do this, the arn resolves with a mixed case endpoint name:
问题是,当我这样做时,ARN使用大小写混合的端点名称进行解析:
arn:aws:sagemaker:ap-southeast-2:012345678910:endpoint/Endpoint3015B993-FcX1jFxPQKeE
Arn:aws:sagemaker:ap-southeast-2:012345678910:endpoint/Endpoint3015B993-FcX1jFxPQKeE
And my lambda is not granted the appropriate permissions, as the name needs to be completely lowercase to do this.
而且我的lambda没有被授予适当的权限,因为名称需要完全小写才能做到这一点。
I've also tried using the Fn::Transform
CloudFormation macro like so:
我还尝试使用FN::Transform CloudForformation宏,如下所示:
myFunction.addToRolePolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: ['sagemaker:InvokeEndpoint'],
resources: [Stack.of(this).formatArn({
service: 'sagemaker',
resource: 'endpoint',
resourceName: Fn.transform('String', {
Operation: "Lower",
InputString: endpoint.attrEndpointName,
}),
})],
}));
But this throws an error when I attempt to deploy:
但这在我尝试部署时抛出了一个错误:
Error: Failed to create ChangeSet cdk-deploy-change-set on MyStack: FAILED, The value of parameter InputString under transform String must resolve to a string, number, boolean or a list of any of these.
It sounds like that transform only works on static values or cloudformation inputs.
听起来,该转换只对静态值或CloudForment输入有效。
Does anyone know a way I can construct an arn with a lowercase endpoint name?
有谁知道我可以用小写的端点名称构造ARN的方法吗?
I don't really want to hardcode a name for my endpoint, and a custom resource lambda feels like overkill, but I suppose either of those would sort it.
我真的不想为我的端点硬编码一个名称,定制资源lambda感觉有点矫枉过正,但我想这两个都可以解决这个问题。
更多回答
Here's something that works, but feels overkill with a lambda function:
下面是一些有用的东西,但使用lambda函数感觉有点过头了:
const endpointArnCustomResource = new CustomResource(this, "EndpointArnCustomResource", {
properties: {
endpointArn: Stack.of(this).formatArn({
service: "sagemaker",
resource: "endpoint",
resourceName: endpoint.attrEndpointName,
}),
},
serviceToken: new Provider(this, "EndpointArnProvider", {
onEventHandler: new Function(this, "EndpointArnFunction", {
runtime: Runtime.NODEJS_18_X,
handler: "index.handler",
code: Code.fromInline(`exports.handler = async (event) => {
return {
PhysicalResourceId: event.PhysicalResourceId,
Data: {
endpointArn: event.ResourceProperties.endpointArn.toLowerCase(),
},
};
}`)
}),
}).serviceToken,
});
// This has the endpoint arn in lowercase
const endpointArn = endpointArnCustomResource.getAttString("endpointArn");
更多回答
I too ended up using a custom resource and a lambda. According to this offhand github issue comment, deploy-time values cannot be lowercased through other means: github.com/aws/aws-cdk/issues/18802#issuecomment-1028414189
我最终也使用了一个定制资源和一个lambda。根据这条即兴发布的GitHub问题评论,部署时的值不能通过其他方式降低:github.com/aws/aws-cdk/issues/18802#issuecomment-1028414189
我是一名优秀的程序员,十分优秀!