权限
本文描述了 Remotion Lambda 所需的权限,并向感兴趣的人解释了为什么这些权限是必要的。
要逐步设置权限,请参阅设置指南。
用户权限
此策略应分配给 AWS 用户。要这样做,请转到AWS 控制台 ➞ IAM ➞ 用户 ➞ 您创建的 Remotion 用户 ➞ 权限选项卡 ➞ 添加内联策略 ➞ JSON。
显示最新 Remotion Lambda 版本的完整用户权限 JSON 文件
{ "Version": "2012-10-17", "Statement": [ { "Sid": "HandleQuotas", "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota", "servicequotas:GetAWSDefaultServiceQuota", "servicequotas:RequestServiceQuotaIncrease", "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota" ], "Resource": [ "*" ] }, { "Sid": "PermissionValidation", "Effect": "Allow", "Action": [ "iam:SimulatePrincipalPolicy" ], "Resource": [ "*" ] }, { "Sid": "LambdaInvokation", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/remotion-lambda-role" ] }, { "Sid": "Storage", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:DeleteObject", "s3:PutObjectAcl", "s3:PutObject", "s3:CreateBucket", "s3:ListBucket", "s3:GetBucketLocation", "s3:PutBucketAcl", "s3:DeleteBucket", "s3:PutBucketOwnershipControls", "s3:PutBucketPublicAccessBlock", "s3:PutLifecycleConfiguration" ], "Resource": [ "arn:aws:s3:::remotionlambda-*" ] }, { "Sid": "BucketListing", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": [ "*" ] }, { "Sid": "FunctionListing", "Effect": "Allow", "Action": [ "lambda:ListFunctions", "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Sid": "FunctionManagement", "Effect": "Allow", "Action": [ "lambda:InvokeAsync", "lambda:InvokeFunction", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:PutFunctionEventInvokeConfig", "lambda:PutRuntimeManagementConfig", "lambda:TagResource" ], "Resource": [ "arn:aws:lambda:*:*:function:remotion-render-*" ] }, { "Sid": "LogsRetention", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*" ] }, { "Sid": "FetchBinaries", "Effect": "Allow", "Action": [ "lambda:GetLayerVersion" ], "Resource": [ "arn:aws:lambda:*:678892195805:layer:remotion-binaries-*", "arn:aws:lambda:*:580247275435:layer:LambdaInsightsExtension*" ] } ] }
您可以通过输入 npx remotion lambda policies user
获取适合您的 Remotion Lambda 版本的权限文件。
角色权限
此策略应分配给您 AWS 帐户中的 角色 remotion-lambda-role
。以下权限授予 Lambda 函数本身。
要分配,请转到AWS 控制台 ➞ IAM ➞ 角色 ➞ remotion-lambda-role
➞ 权限选项卡 ➞ 添加内联策略。
显示最新 Remotion Lambda 版本的完整角色权限 JSON 文件
{ "Version": "2012-10-17", "Statement": [ { "Sid": "0", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": [ "*" ] }, { "Sid": "1", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:PutBucketAcl", "s3:GetObject", "s3:DeleteObject", "s3:PutObjectAcl", "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::remotionlambda-*" ] }, { "Sid": "2", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:remotion-render-*" ] }, { "Sid": "3", "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda-insights" ] }, { "Sid": "4", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*", "arn:aws:logs:*:*:log-group:/aws/lambda-insights:*" ] } ] }
您可以通过输入 npx remotion lambda policies role
获取适合您的 Remotion Lambda 版本的权限文件。
验证
有两种方式可以测试用户权限是否已正确设置。您可以执行以下命令:
bash
npx remotion lambda policies validate
bash
npx remotion lambda policies validate
或者如果您想以编程方式进行验证,可以使用simulatePermissions()
函数。
无法验证角色的策略。
解释
以下表格详细说明了为什么 Remotion Lambda 需要它所需的权限。
用户策略
权限 | 范围 | 原因 |
---|---|---|
iam:SimulatePrincipalPolicy | * | 允许执行 |
iam:PassRole | arn:aws:iam::*:role/remotion-lambda-role | 允许 Lambda 函数假定具有足够权限的角色。 |
s3:GetObject s3:DeleteObject s3:PutObjectAcl s3:PutObject s3:CreateBucket s3:ListBucket s3:GetBucketLocation s3:PutBucketAcl s3:DeleteBucket s3.PutBucketOwnershipControls s3.PutBucketPublicAccessBlock | arn:aws:s3:::remotionlambda-* | 允许在您的帐户中创建和删除存储桶和对象,使对象公开并将其配置为网站。只能访问以 |
s3:ListAllMyBuckets | arn:aws:s3:::* | 允许列出您帐户中所有存储桶的名称,以便检测已存在的 Remotion 存储桶。 |
lambda:GetLayerVersion | arn:aws:lambda:*:678892195805:layer:remotion-binaries-* | 允许读取 Chromium 和 FFMPEG 二进制文件。这些二进制文件托管在 Remotion 专门用于在所有支持的区域中托管这些层的帐户中。 |
lambda:ListFunctions lambda:GetFunction | * | 允许读取您 AWS 帐户中的函数,以便找到要调用的正确函数。宽松的 |
lambda:InvokeAsync lambda:InvokeFunction lambda:DeleteFunction lambda:PutFunctionEventInvokeConfig lambda:CreateFunction lambda:PutRuntimeManagementConfig lambda:TagResource | arn:aws:lambda:*:*:function:remotion-render-* | 允许创建、删除、调用和配置函数(例如禁用自动重试)。CLI 和 Node.JS API 使用这些权限来设置、执行和拆卸基础设施。 |
logs:CreateLogGroup logs:PutRetentionPolicy | arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-* | 允许创建 CloudWatch 组,以便稍后将日志保存在其中。简化调试。 |
servicequotas:GetServiceQuota servicequotas:GetAWSDefaultServiceQuota servicequotas:RequestServiceQuotaIncrease servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota | * | 为 |
角色策略
权限 | 范围 | 原因 |
---|---|---|
s3.ListAllMyBuckets | * | 获取 Remotion 存储桶列表,以查找以 |
s3:CreateBucket s3:ListBucket s3:PutBucketAcl s3:GetObject s3:DeleteObject s3:PutObjectAcl s3:PutObject s3:GetBucketLocation | arn:aws:s3:::remotionlambda-* | 创建和删除存储桶和项目,使其公开或私有,并获取其位置。由于 Remotion 将视频存储在 S3 存储桶中,因此需要对这些存储桶具有基本的 CRUD 能力。该权限仅适用于以 |
lambda:InvokeFunction | arn:aws:lambda:*:*:function:remotion-render* | 允许函数递归调用自身。渲染涉及多个函数调用,由第一个函数调用进行编排。 |
lambda:CreateLogStream lambda:PutLogEvents | arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render* | 允许将函数日志写入 CloudWatch 以便更轻松地进行调试。 |