Zenn
🐥

cloudshellからLambdaの同期呼び出しができない原因と対策

2023/11/06に公開
AWS
Lambda
IAM
Cloud Shell
invoke
tech

課題

cloudshellからLambdaの同期呼び出しができない原因と対策

エラー内容

[cloudshell-user@ip-10-6-66-244 ~]$ aws lambda invoke --function-name hwllopython --invocation-type DryRun --payload '{ "key1": "value1","key2": "value2","key3": "value3" }' --cli-binary-format raw-in-base64-out response.json

Error when retrieving credentials from container-role: Error retrieving metadata: Received non 200 response (500) from ECS metadata: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>500 - Internal Server Error</title>
 </head>
 <body>
  <h1>500 - Internal Server Error</h1>
 </body>
</html>

ユーザーにアタッチしているポリシー

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:RegisterScalableTarget",
                "rds:*",
                "s3:*",
                "logs:*",
                "kms:GetKeyPolicy",
                "iam:ListInstanceProfiles",
                "cloudwatch:PutMetricAlarm",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                "cloudwatch:*",
                "kms:ListAliases",
                "application-autoscaling:PutScalingPolicy",
                "lambda:*",
                "cloudwatch:DescribeAlarms",
                "ec2:*",
                "kms:DescribeKey",
                "iam:CreateRole",
                "iam:CreatePolicy",
                "iam:AttachRolePolicy",
                "cloudshell:CreateEnvironment",
                "cloudshell:GetEnvironmentStatus",
                "cloudshell:GetEnvironmentStatus",
                "cloudshell:CreateSession",
                "cloudshell:StartEnvironment"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DenyCredentialForwarding",
            "Effect": "Deny",
            "Action": [
                "cloudshell:PutCredentials"
            ],
            "Resource": "*"
        }
    ]
}

原因

Actionに"cloudshell:PutCredentials"を追加していないから

解決方法

Actionに"cloudshell:PutCredentials"を追加する。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:RegisterScalableTarget",
                "rds:*",
                "s3:*",
                "logs:*",
                "kms:GetKeyPolicy",
                "iam:ListInstanceProfiles",
                "cloudwatch:PutMetricAlarm",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                "cloudwatch:*",
                "kms:ListAliases",
                "application-autoscaling:PutScalingPolicy",
                "lambda:*",
                "cloudwatch:DescribeAlarms",
                "ec2:*",
                "kms:DescribeKey",
                "iam:CreateRole",
                "iam:CreatePolicy",
                "iam:AttachRolePolicy",
                "cloudshell:CreateEnvironment",
                "cloudshell:GetEnvironmentStatus",
                "cloudshell:GetEnvironmentStatus",
                "cloudshell:CreateSession",
                "cloudshell:StartEnvironment",
                "cloudshell:PutCredentials"
            ],
            "Resource": "*"
        }
    ]
}

結果

通るようになった

[cloudshell-user@ip-10-6-66-244 ~]$ aws lambda invoke --function-name hwllopython --invocation-type DryRun --payload '{ "key1": "value1","key2": "value2","key3": "value3" }' --cli-binary-format raw-in-base64-out response.json
{
    "StatusCode": 204
}

参考文献

あしざわ(2021)「CloudShellを最小権限で起動してみた」(https://dev.classmethod.jp/articles/cloudshell-lanched-minumum-authority/)参照日: 2023年11月6日

Discussion