amazon-web-services - AWS API 网关无法执行 lambda？

Question

所以在 AWS 中，我有一个可以直接从控制台执行的 lambda。但是，当我执行 API 网关时出现此错误。

{
  "message": "Internal server error"
}


Execution log for request 799250bf-2589-11e9-8e14-6396967e56cf
Thu Jan 31 18:53:19 UTC 2019 : Starting execution for request: 799250bf-2589-11e9-8e14-6396967e56cf
Thu Jan 31 18:53:19 UTC 2019 : HTTP Method: GET, Resource Path: /ComputePi
Thu Jan 31 18:53:19 UTC 2019 : Method request path: {}
Thu Jan 31 18:53:19 UTC 2019 : Method request query string: {}
Thu Jan 31 18:53:19 UTC 2019 : Method request headers: {}
Thu Jan 31 18:53:19 UTC 2019 : Method request body before transformations: 
Thu Jan 31 18:53:19 UTC 2019 : Execution failed due to configuration error: API Gateway does not have permission to assume the provided role arn:aws:iam::061753407487:role/cloudformation-lambda-execution-role
Thu Jan 31 18:53:19 UTC 2019 : Method completed with status: 500

我更新了我的 IAM 角色以获得访问权限，但仍然不起作用？看起来它需要在云形成本身中完成，但不确定在哪里？

这是我的 SAM 文件:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Outputs Pi
Resources:
  ComputePi:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs6.10
      CodeUri: ./lambdaCode
      Events:
        MyTimeApi:
          Type: Api
          Properties:
            Path: /ComputePi
            Method: GET

这是我的构建规范:

version: 0.2
phases:
  install:
    commands:
      - aws cloudformation package --template-file samTemplate.yaml --kms-key-id eee5fba0-67fe-4def-b0be-7bb5d9ef38ef --s3-bucket codepipeline-us-east-2-588194207253 --output-template-file outputSamTemplate.yaml
artifacts:
  type: zip
  files:
    - samTemplate.yaml
    - outputSamTemplate.yaml

更新:

我已经将我的 samTemplate 更新为如下所示。我仍然遇到错误。

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Outputs Pi
Resources:
  ComputePi:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs6.10
      CodeUri: ./lambdaCode
      Events:
        MyTimeApi:
          Type: Api
          Properties:
            Path: /ComputePi
            Method: GET
  LambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref ComputePi
      Principal: apigateway.amazonaws.com
      SourceArn:
        Fn::Join:
          - ''
          - - 'arn:aws:execute-api:'
          - Ref: AWS::Region
          - ":"
          - Ref: AWS::AccountId
          - ":"
          - Ref: API
          - "/*/*/*"

错误:

Execution log for request 0e2aa0c7-25ba-11e9-9f42-2583dd87218f
Fri Feb 01 00:41:04 UTC 2019 : Starting execution for request: 0e2aa0c7-25ba-11e9-9f42-2583dd87218f
Fri Feb 01 00:41:04 UTC 2019 : HTTP Method: GET, Resource Path: /ComputePi
Fri Feb 01 00:41:04 UTC 2019 : Method request path: {}
Fri Feb 01 00:41:04 UTC 2019 : Method request query string: {}
Fri Feb 01 00:41:04 UTC 2019 : Method request headers: {}
Fri Feb 01 00:41:04 UTC 2019 : Method request body before transformations: 
Fri Feb 01 00:41:04 UTC 2019 : Execution failed due to configuration error: API Gateway does not have permission to assume the provided role arn:aws:iam::061753407487:role/cloudformation-lambda-execution-role
Fri Feb 01 00:41:04 UTC 2019 : Method completed with status: 500

更新:

在添加 LambdaPermission、删除我的堆栈，然后更改我的 lambda 代码中的响应后，我让它开始工作。

let response = {
        "statusCode": 200,
        "headers": {},
        "body": pi * 4,
        "isBase64Encoded": false
    };

Answer 1

您需要为 API 网关提供对“lambda:InvokeFunction”的访问权限。您可以将以下政策附加到您的模板:

LambdaPermission:
  Type: "AWS::Lambda::Permission"
  Properties:
    Action: lambda:InvokeFunction
    FunctionName: !Ref YourLambda
    Principal: apigateway.amazonaws.com    
    SourceArn:
      Fn::Join:
      - ''
      - - 'arn:aws:execute-api:'
        - Ref: AWS::Region
        - ":"
        - Ref: AWS::AccountId
        - ":"
        - Ref: YourAPI
        - "/*/*/*"