🐥
cloudshellからLambdaの同期呼び出しができない原因と対策
課題
cloudshellからLambdaの同期呼び出しができない原因と対策
エラー内容
[cloudshell-user@ip-10-6-66-244 ~]$ aws lambda invoke --function-name hwllopython --invocation-type DryRun --payload '{ "key1": "value1","key2": "value2","key3": "value3" }' --cli-binary-format raw-in-base64-out response.json
Error when retrieving credentials from container-role: Error retrieving metadata: Received non 200 response (500) from ECS metadata: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>500 - Internal Server Error</title>
</head>
<body>
<h1>500 - Internal Server Error</h1>
</body>
</html>
ユーザーにアタッチしているポリシー
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"application-autoscaling:RegisterScalableTarget",
"rds:*",
"s3:*",
"logs:*",
"kms:GetKeyPolicy",
"iam:ListInstanceProfiles",
"cloudwatch:PutMetricAlarm",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"cloudwatch:*",
"kms:ListAliases",
"application-autoscaling:PutScalingPolicy",
"lambda:*",
"cloudwatch:DescribeAlarms",
"ec2:*",
"kms:DescribeKey",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"cloudshell:CreateEnvironment",
"cloudshell:GetEnvironmentStatus",
"cloudshell:GetEnvironmentStatus",
"cloudshell:CreateSession",
"cloudshell:StartEnvironment"
],
"Resource": "*"
},
{
"Sid": "DenyCredentialForwarding",
"Effect": "Deny",
"Action": [
"cloudshell:PutCredentials"
],
"Resource": "*"
}
]
}
原因
Actionに"cloudshell:PutCredentials"を追加していないから
解決方法
Actionに"cloudshell:PutCredentials"を追加する。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"application-autoscaling:RegisterScalableTarget",
"rds:*",
"s3:*",
"logs:*",
"kms:GetKeyPolicy",
"iam:ListInstanceProfiles",
"cloudwatch:PutMetricAlarm",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"cloudwatch:*",
"kms:ListAliases",
"application-autoscaling:PutScalingPolicy",
"lambda:*",
"cloudwatch:DescribeAlarms",
"ec2:*",
"kms:DescribeKey",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"cloudshell:CreateEnvironment",
"cloudshell:GetEnvironmentStatus",
"cloudshell:GetEnvironmentStatus",
"cloudshell:CreateSession",
"cloudshell:StartEnvironment",
"cloudshell:PutCredentials"
],
"Resource": "*"
}
]
}
結果
通るようになった
[cloudshell-user@ip-10-6-66-244 ~]$ aws lambda invoke --function-name hwllopython --invocation-type DryRun --payload '{ "key1": "value1","key2": "value2","key3": "value3" }' --cli-binary-format raw-in-base64-out response.json
{
"StatusCode": 204
}
参考文献
あしざわ(2021)「CloudShellを最小権限で起動してみた」(https://dev.classmethod.jp/articles/cloudshell-lanched-minumum-authority/)参照日: 2023年11月6日
Discussion