Skip to main content

权限

本文描述了 Remotion Lambda 所需的权限,并向感兴趣的人解释了为什么这些权限是必要的。

要逐步设置权限,请参阅设置指南

用户权限

此策略应分配给 AWS 用户。要这样做,请转到AWS 控制台IAM用户 ➞ 您创建的 Remotion 用户 ➞ 权限选项卡 ➞ 添加内联策略 ➞ JSON。

显示最新 Remotion Lambda 版本的完整用户权限 JSON 文件

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "HandleQuotas",
      "Effect": "Allow",
      "Action": [
        "servicequotas:GetServiceQuota",
        "servicequotas:GetAWSDefaultServiceQuota",
        "servicequotas:RequestServiceQuotaIncrease",
        "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "PermissionValidation",
      "Effect": "Allow",
      "Action": [
        "iam:SimulatePrincipalPolicy"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "LambdaInvokation",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/remotion-lambda-role"
      ]
    },
    {
      "Sid": "Storage",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:PutObjectAcl",
        "s3:PutObject",
        "s3:CreateBucket",
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:PutBucketAcl",
        "s3:DeleteBucket",
        "s3:PutBucketOwnershipControls",
        "s3:PutBucketPublicAccessBlock",
        "s3:PutLifecycleConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::remotionlambda-*"
      ]
    },
    {
      "Sid": "BucketListing",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "FunctionListing",
      "Effect": "Allow",
      "Action": [
        "lambda:ListFunctions",
        "lambda:GetFunction"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "FunctionManagement",
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeAsync",
        "lambda:InvokeFunction",
        "lambda:CreateFunction",
        "lambda:DeleteFunction",
        "lambda:PutFunctionEventInvokeConfig",
        "lambda:PutRuntimeManagementConfig",
        "lambda:TagResource"
      ],
      "Resource": [
        "arn:aws:lambda:*:*:function:remotion-render-*"
      ]
    },
    {
      "Sid": "LogsRetention",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:PutRetentionPolicy"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*"
      ]
    },
    {
      "Sid": "FetchBinaries",
      "Effect": "Allow",
      "Action": [
        "lambda:GetLayerVersion"
      ],
      "Resource": [
        "arn:aws:lambda:*:678892195805:layer:remotion-binaries-*",
        "arn:aws:lambda:*:580247275435:layer:LambdaInsightsExtension*"
      ]
    }
  ]
}
info

您可以通过输入 npx remotion lambda policies user 获取适合您的 Remotion Lambda 版本的权限文件。

角色权限

此策略应分配给您 AWS 帐户中的 角色 remotion-lambda-role。以下权限授予 Lambda 函数本身。

要分配,请转到AWS 控制台IAM角色remotion-lambda-role ➞ 权限选项卡 ➞ 添加内联策略

显示最新 Remotion Lambda 版本的完整角色权限 JSON 文件

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "0",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "1",
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:ListBucket",
        "s3:PutBucketAcl",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:PutObjectAcl",
        "s3:PutObject",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::remotionlambda-*"
      ]
    },
    {
      "Sid": "2",
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "arn:aws:lambda:*:*:function:remotion-render-*"
      ]
    },
    {
      "Sid": "3",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:/aws/lambda-insights"
      ]
    },
    {
      "Sid": "4",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*",
        "arn:aws:logs:*:*:log-group:/aws/lambda-insights:*"
      ]
    }
  ]
}
info

您可以通过输入 npx remotion lambda policies role 获取适合您的 Remotion Lambda 版本的权限文件。

验证

有两种方式可以测试用户权限是否已正确设置。您可以执行以下命令:

bash
npx remotion lambda policies validate
bash
npx remotion lambda policies validate

或者如果您想以编程方式进行验证,可以使用simulatePermissions()函数。

info

无法验证角色的策略。

解释

以下表格详细说明了为什么 Remotion Lambda 需要它所需的权限。

用户策略

权限

范围

原因

iam:SimulatePrincipalPolicy*

允许执行 npx remotion lambda permissions validate

iam:PassRolearn:aws:iam::*:role/remotion-lambda-role

允许 Lambda 函数假定具有足够权限的角色。

s3:GetObject
s3:DeleteObject
s3:PutObjectAcl
s3:PutObject
s3:CreateBucket
s3:ListBucket
s3:GetBucketLocation
s3:PutBucketAcl
s3:DeleteBucket
s3.PutBucketOwnershipControls
s3.PutBucketPublicAccessBlock
arn:aws:s3:::remotionlambda-*

允许在您的帐户中创建和删除存储桶和对象,使对象公开并将其配置为网站。只能访问以 remotionlambda- 开头的存储桶。

s3:ListAllMyBucketsarn:aws:s3:::*

允许列出您帐户中所有存储桶的名称,以便检测已存在的 Remotion 存储桶。

lambda:GetLayerVersionarn:aws:lambda:*:678892195805:layer:remotion-binaries-*

允许读取 Chromium 和 FFMPEG 二进制文件。这些二进制文件托管在 Remotion 专门用于在所有支持的区域中托管这些层的帐户中。

lambda:ListFunctions
lambda:GetFunction
*

允许读取您 AWS 帐户中的函数,以便找到要调用的正确函数。宽松的 * 权限是因为 AWS 不允许收紧此权限。

lambda:InvokeAsync
lambda:InvokeFunction
lambda:DeleteFunction
lambda:PutFunctionEventInvokeConfig
lambda:CreateFunction
lambda:PutRuntimeManagementConfig
lambda:TagResource
arn:aws:lambda:*:*:function:remotion-render-*

允许创建、删除、调用和配置函数(例如禁用自动重试)。CLI 和 Node.JS API 使用这些权限来设置、执行和拆卸基础设施。lambda:TagResource 可以选择性地为函数打标签。

logs:CreateLogGroup
logs:PutRetentionPolicy
arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*

允许创建 CloudWatch 组,以便稍后将日志保存在其中。简化调试。

servicequotas:GetServiceQuota
servicequotas:GetAWSDefaultServiceQuota
servicequotas:RequestServiceQuotaIncrease
servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota
*

lambda quotas CLI 命令提供支持。

角色策略

权限

范围

原因

s3.ListAllMyBuckets*

获取 Remotion 存储桶列表,以查找以 remotionlambda- 开头的现有存储桶。

s3:CreateBucket
s3:ListBucket
s3:PutBucketAcl
s3:GetObject
s3:DeleteObject
s3:PutObjectAcl
s3:PutObject
s3:GetBucketLocation
arn:aws:s3:::remotionlambda-*

创建和删除存储桶和项目,使其公开或私有,并获取其位置。由于 Remotion 将视频存储在 S3 存储桶中,因此需要对这些存储桶具有基本的 CRUD 能力。该权限仅适用于以 remotionlambda- 开头的存储桶。

lambda:InvokeFunction
arn:aws:lambda:*:*:function:remotion-render*

允许函数递归调用自身。渲染涉及多个函数调用,由第一个函数调用进行编排。

lambda:CreateLogStream
lambda:PutLogEvents
arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render*

允许将函数日志写入 CloudWatch 以便更轻松地进行调试。

参见