What is trusted entities in resulting role definit

2019-08-16 09:13发布

问题:

Below is the SAM template,

Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function 
Properties:
  CodeUri: hello-world/
  Handler: app.LambdaHandler
  Runtime: nodejs8.10
  Policies:
  - AWSLambdaExecute

for which, below is role(JSON) created for Lambda function:

{
  "roleName": "somestack-HelloWorldFunctionRole-AAAAAAAA",
  "policies": [
    {...}, # AWSLambdaExecute
    {...}, # AWSLambdaSQSQueueExecutionRole
    {....} # AWSLambdaBasicExecutionRole
  ],
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

What is trustedEntities in this JSON?

回答1:

Trusted entities is a set of entities which can assume this role. If you are creating the function via SAM, trust relationship between the role created by SAM and Lambda service in your account will be automatically created, which in turn means that your Lambda function can assume this role.

If you want to assign this role to EC2 instance, you will not be able to because your role doesn't trust EC2 service by default. You would need to modify trust relationship and include EC2 service. Like this:

"trustedEntities": [
    "lambda.amazonaws.com",
    "ec2.amazonaws.com"
  ]

This is also useful if you want to create a role that can be assumed across accounts, you can specify other account as a trusted entity so that the other account(s) will be able to assume the role.

And if trustedEntities list is empty, nobody is able to assume the role.