问题描述
在我的 serverless.yml 文件中,我希望能够从两个不同的文件中添加 iamRoleStatements(这不能改变).所以我试着这样做:
提供者:iamRole 声明:- ${file(__environments.yml):dev.iamRoleStatements, ''}- ${file(custom.yml):provider.iamRoleStatements, ''}每个文件都有一个 iamRoleStatements 部分.
__environments.yml:
开发:iamRole 声明:- 效果:允许"操作:'execute-api:Invoke'资源:'*'custom.yml:
提供者:iamRole 声明:- 效果:允许"行动:- lambda:InvokeFunction资源:- "*"就个人而言,它们中的每一个都很好用.但是当我尝试使用它们运行 sls deploy 时,我遇到以下错误:
iamRoleStatements 应该是一个对象数组,其中每个对象都有 Effect、Action/NotAction、Resource/NotResource 字段.具体来说,语句 0 缺少以下属性:Effect、Action/NotAction、Resource/NotResource;语句 1 缺少以下属性:Effect、Action/NotAction、Resource/NotResource
我在网上搜索,这似乎适用于无服务器文件的其他部分,例如 resources:
# 这很好用.资源:- ${file(custom.yml):resources, ''}- ${file(__environments.yml):resources, ''}所以我想知道是否有任何解决方案,或者 Serverless Framework 目前不支持它.
感谢您的帮助.
你将不得不跳过几个圈子才能到达那里.
文件合并限制
无服务器框架允许在配置中的任何位置导入文件,但 仅合并 resources 和 functions 部分.
你的例子:
提供者:iamRole 声明:- ${file(__environments.yml):dev.iamRoleStatements, ''}- ${file(custom.yml):provider.iamRoleStatements, ''}结果是这样的数组:
{提供者":{iamRoleStatements":[[{"Effect": "允许","Action": "execute-api:Invoke",资源":*"}],[{"Effect": "允许",行动": [拉姆达:调用函数"],资源":[*"]}]]}}您可以提交一个很小的拉取请求来纠正这个问题.
使用引用的 IAM 托管策略
可以将您的每个 IAM 角色定义为自定义资源,并使用 iamManagedPolicies 提供程序配置 指向这些资源中的每一个.类似的东西:
提供者:名称:awsiamManagedPolicies:- 参考:DevIamRole- 参考:CustomIamRole资源:- ${file(__environments.yml):resources, ''}- ${file(custom.yml):resources, ''}当然,您需要将这两个文件的结构更改为 AWS::IAM::Role 资源.
自定义 IAM 角色
该框架还为您提供了完全控制的选项,即 完整记录.
我希望这会有所帮助.
In my serverless.yml file, I want to be able to add iamRoleStatements from two differents files (this cannot change). So I tried doing it like this:
provider:
iamRoleStatements:
- ${file(__environments.yml):dev.iamRoleStatements, ''}
- ${file(custom.yml):provider.iamRoleStatements, ''}
Each of these files have an iamRoleStatements section.
dev:
iamRoleStatements:
- Effect: 'Allow'
Action: 'execute-api:Invoke'
Resource: '*'
provider:
iamRoleStatements:
- Effect: "Allow"
Action:
- lambda:InvokeFunction
Resource:
- "*"
Individually, each of them works great. But when I try to run sls deploy with both of them, I encounter the following error:
I searched online and this appears to work for other sections of the serverless file such as resources:
# This works perfectly well.
resources:
- ${file(custom.yml):resources, ''}
- ${file(__environments.yml):resources, ''}
So I wonder if there is any solution to this or if it is something that is not currently supported by the Serverless Framework.
Thanks for your help.
You're going to have to jump through a few hoops to get there.
File Merge Limitations
The serverless framework allows file imports anywhere in the configuration but only merges resources and functions sections.
Your example:
provider:
iamRoleStatements:
- ${file(__environments.yml):dev.iamRoleStatements, ''}
- ${file(custom.yml):provider.iamRoleStatements, ''}
Results in an array of arrays like this:
{
"provider": {
"iamRoleStatements": [
[
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "*"
}
],
[
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
}
]
]
}
}
You might be able to submit a very small pull request to rectify this.
IAM Managed Policies using References
It might be possible to define each of your IAM roles as custom resources, and use the iamManagedPolicies provider config to point to each of those resources. Something like:
provider:
name: aws
iamManagedPolicies:
- Ref: DevIamRole
- Ref: CustomIamRole
resources:
- ${file(__environments.yml):resources, ''}
- ${file(custom.yml):resources, ''}
Of course you'd need to change the structure of those two files to be AWS::IAM::Role resources.
Custom IAM Role
The framework also gives you the option to take complete control, which is fully documented.
I hope this helps.
这篇关于serverless - 如何将多个文件添加到 iamRoleStatements?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!