权限
本文描述了 Remotion Lambda 所需的权限,并向感兴趣的人解释了为什么这些权限是必要的。
要逐步设置权限,请参阅设置指南。
用户权限
此策略应分配给 AWS 用户。要这样做,请转到AWS 控制台 ➞ IAM ➞ 用户 ➞ 您创建的 Remotion 用户 ➞ 权限选项卡 ➞ 添加内联策略 ➞ JSON。
显示最新 Remotion Lambda 版本的完整用户权限 JSON 文件
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "HandleQuotas",
"Effect": "Allow",
"Action": [
"servicequotas:GetServiceQuota",
"servicequotas:GetAWSDefaultServiceQuota",
"servicequotas:RequestServiceQuotaIncrease",
"servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota"
],
"Resource": [
"*"
]
},
{
"Sid": "PermissionValidation",
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"*"
]
},
{
"Sid": "LambdaInvokation",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/remotion-lambda-role"
]
},
{
"Sid": "Storage",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutBucketAcl",
"s3:DeleteBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:PutLifecycleConfiguration"
],
"Resource": [
"arn:aws:s3:::remotionlambda-*"
]
},
{
"Sid": "BucketListing",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Sid": "FunctionListing",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:GetFunction"
],
"Resource": [
"*"
]
},
{
"Sid": "FunctionManagement",
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:PutFunctionEventInvokeConfig",
"lambda:PutRuntimeManagementConfig",
"lambda:TagResource"
],
"Resource": [
"arn:aws:lambda:*:*:function:remotion-render-*"
]
},
{
"Sid": "LogsRetention",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*"
]
},
{
"Sid": "FetchBinaries",
"Effect": "Allow",
"Action": [
"lambda:GetLayerVersion"
],
"Resource": [
"arn:aws:lambda:*:678892195805:layer:remotion-binaries-*",
"arn:aws:lambda:*:580247275435:layer:LambdaInsightsExtension*"
]
}
]
}您可以通过输入 npx remotion lambda policies user 获取适合您的 Remotion Lambda 版本的权限文件。
角色权限
此策略应分配给您 AWS 帐户中的 角色 remotion-lambda-role。以下权限授予 Lambda 函数本身。
要分配,请转到AWS 控制台 ➞ IAM ➞ 角色 ➞ remotion-lambda-role ➞ 权限选项卡 ➞ 添加内联策略。
显示最新 Remotion Lambda 版本的完整角色权限 JSON 文件
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "0",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::remotionlambda-*"
]
},
{
"Sid": "2",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:remotion-render-*"
]
},
{
"Sid": "3",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda-insights"
]
},
{
"Sid": "4",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*",
"arn:aws:logs:*:*:log-group:/aws/lambda-insights:*"
]
}
]
}您可以通过输入 npx remotion lambda policies role 获取适合您的 Remotion Lambda 版本的权限文件。
验证
有两种方式可以测试用户权限是否已正确设置。您可以执行以下命令:
bash
bash
或者如果您想以编程方式进行验证,可以使用simulatePermissions()函数。
无法验证角色的策略。
解释
以下表格详细说明了为什么 Remotion Lambda 需要它所需的权限。
用户策略
权限 | 范围 | 原因 |
|---|---|---|
iam:SimulatePrincipalPolicy | * | 允许执行 |
iam:PassRole | arn:aws:iam::*:role/remotion-lambda-role | 允许 Lambda 函数假定具有足够权限的角色。 |
s3:GetObjects3:DeleteObjects3:PutObjectAcls3:PutObjects3:CreateBuckets3:ListBuckets3:GetBucketLocations3:PutBucketAcls3:DeleteBuckets3.PutBucketOwnershipControlss3.PutBucketPublicAccessBlock | arn:aws:s3:::remotionlambda-* | 允许在您的帐户中创建和删除存储桶和对象,使对象公开并将其配置为网站。只能访问以 |
s3:ListAllMyBuckets | arn:aws:s3:::* | 允许列出您帐户中所有存储桶的名称,以便检测已存在的 Remotion 存储桶。 |
lambda:GetLayerVersion | arn:aws:lambda:*:678892195805:layer:remotion-binaries-* | 允许读取 Chromium 和 FFMPEG 二进制文件。这些二进制文件托管在 Remotion 专门用于在所有支持的区域中托管这些层的帐户中。 |
lambda:ListFunctionslambda:GetFunction | * | 允许读取您 AWS 帐户中的函数,以便找到要调用的正确函数。宽松的 |
lambda:InvokeAsynclambda:InvokeFunctionlambda:DeleteFunctionlambda:PutFunctionEventInvokeConfiglambda:CreateFunctionlambda:PutRuntimeManagementConfiglambda:TagResource | arn:aws:lambda:*:*:function:remotion-render-* | 允许创建、删除、调用和配置函数(例如禁用自动重试)。CLI 和 Node.JS API 使用这些权限来设置、执行和拆卸基础设施。 |
logs:CreateLogGrouplogs:PutRetentionPolicy | arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-* | 允许创建 CloudWatch 组,以便稍后将日志保存在其中。简化调试。 |
servicequotas:GetServiceQuotaservicequotas:GetAWSDefaultServiceQuotaservicequotas:RequestServiceQuotaIncreaseservicequotas:ListRequestedServiceQuotaChangeHistoryByQuota | * | 为 |
角色策略
权限 | 范围 | 原因 |
|---|---|---|
s3.ListAllMyBuckets | * | 获取 Remotion 存储桶列表,以查找以 |
s3:CreateBuckets3:ListBuckets3:PutBucketAcls3:GetObjects3:DeleteObjects3:PutObjectAcls3:PutObjects3:GetBucketLocation | arn:aws:s3:::remotionlambda-* | 创建和删除存储桶和项目,使其公开或私有,并获取其位置。由于 Remotion 将视频存储在 S3 存储桶中,因此需要对这些存储桶具有基本的 CRUD 能力。该权限仅适用于以 |
lambda:InvokeFunction | arn:aws:lambda:*:*:function:remotion-render* | 允许函数递归调用自身。渲染涉及多个函数调用,由第一个函数调用进行编排。 |
lambda:CreateLogStreamlambda:PutLogEvents | arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render* | 允许将函数日志写入 CloudWatch 以便更轻松地进行调试。 |