不使用 IAM 用户的示例设置

这是如何使用示例来实现"不使用 IAM 角色的 Lambda"描述的技术的说明。

先决条件

确保您的本地 AWS 配置文件能够部署到 AWS。

设置

1. 克隆或下载项目

该项目可以在参考项目中找到。

2. 安装依赖项

npm
yarn
pnpm

bash
npm i

bash
npm i

bash
pnpm i

bash
pnpm i

bash
yarn install

bash
yarn install

3. 创建 CDK Stack

此命令将部署 Lambda 函数和堆栈中的任何其他资源。

bash
npx aws-cdk deploy \
  --outputs-file ./cdk-outputs.json

bash
npx aws-cdk deploy \
  --outputs-file ./cdk-outputs.json

Remotion 包也被捆绑到堆栈中，这确保了renderMediaOnLambda()可以由Lambda 函数执行。

package.json
json
{
  "dependencies": {
    ...
    "remotion": "^3.3.33",
    "@remotion/lambda": "^3.3.33",
  }
}

package.json
json
{
  "dependencies": {
    ...
    "remotion": "^3.3.33",
    "@remotion/lambda": "^3.3.33",
  }
}

完整的依赖项包含在参考项目中。

4. 部署后

bash
npx aws-cdk deploy \
  --outputs-file ./cdk-outputs.json

bash
npx aws-cdk deploy \
  --outputs-file ./cdk-outputs.json

部署进度
bash
Bundling asset cdk-stack/render-function/Code/Stage...
  cdk.out/bundling-temp-5e88d0b45626d59e8e8ddce3b05a886b0e1b381df6e5bbbea1dc2727080641a8/index.js  6.3mb ⚠️
⚡ Done in 295ms
✨  Synthesis time: 4.29s
cdk-stack: building assets...
[0%] start: Building 87d5e793cbd198c73c05023515153b142eb2f559e7150579cd2db53362c19b6e:XXXXXXXXXX-us-east-1
[0%] start: Building 779e5babb0ddf0d17c0faebbe5596b03bcf13785f0b20c4cd0fe0c5e616d5593:XXXXXXXXXX-us-east-1
[50%] success: Built 87d5e793cbd198c73c05023515153b142eb2f559e7150579cd2db53362c19b6e:XXXXXXXXXX-us-east-1
[100%] success: Built 779e5babb0ddf0d17c0faebbe5596b03bcf13785f0b20c4cd0fe0c5e616d5593:XXXXXXXXXX-us-east-1
cdk-stack: assets built
cdk-stack: deploying... [1/1]
[0%] start: Publishing 87d5e793cbd198c73c05023515153b142eb2f559e7150579cd2db53362c19b6e:XXXXXXXXXX-us-east-1
[0%] start: Publishing 779e5babb0ddf0d17c0faebbe5596b03bcf13785f0b20c4cd0fe0c5e616d5593:XXXXXXXXXX-us-east-1
[50%] success: Published 779e5babb0ddf0d17c0faebbe5596b03bcf13785f0b20c4cd0fe0c5e616d5593:XXXXXXXXXX-us-east-1
[100%] success: Published 87d5e793cbd198c73c05023515153b142eb2f559e7150579cd2db53362c19b6e:XXXXXXXXXX-us-east-1
 ✅  cdk-stack (no changes)
✨  Deployment time: 1.39s

部署进度
bash
Bundling asset cdk-stack/render-function/Code/Stage...
  cdk.out/bundling-temp-5e88d0b45626d59e8e8ddce3b05a886b0e1b381df6e5bbbea1dc2727080641a8/index.js  6.3mb ⚠️
⚡ Done in 295ms
✨  Synthesis time: 4.29s
cdk-stack: building assets...
[0%] start: Building 87d5e793cbd198c73c05023515153b142eb2f559e7150579cd2db53362c19b6e:XXXXXXXXXX-us-east-1
[0%] start: Building 779e5babb0ddf0d17c0faebbe5596b03bcf13785f0b20c4cd0fe0c5e616d5593:XXXXXXXXXX-us-east-1
[50%] success: Built 87d5e793cbd198c73c05023515153b142eb2f559e7150579cd2db53362c19b6e:XXXXXXXXXX-us-east-1
[100%] success: Built 779e5babb0ddf0d17c0faebbe5596b03bcf13785f0b20c4cd0fe0c5e616d5593:XXXXXXXXXX-us-east-1
cdk-stack: assets built
cdk-stack: deploying... [1/1]
[0%] start: Publishing 87d5e793cbd198c73c05023515153b142eb2f559e7150579cd2db53362c19b6e:XXXXXXXXXX-us-east-1
[0%] start: Publishing 779e5babb0ddf0d17c0faebbe5596b03bcf13785f0b20c4cd0fe0c5e616d5593:XXXXXXXXXX-us-east-1
[50%] success: Published 779e5babb0ddf0d17c0faebbe5596b03bcf13785f0b20c4cd0fe0c5e616d5593:XXXXXXXXXX-us-east-1
[100%] success: Published 87d5e793cbd198c73c05023515153b142eb2f559e7150579cd2db53362c19b6e:XXXXXXXXXX-us-east-1
 ✅  cdk-stack (no changes)
✨  Deployment time: 1.39s

输出
bash
Outputs:
cdk-stack.apiUrl = https://du7jfr.execute-api.us-east-1.amazonaws.com/
cdk-stack.region = us-east-1
cdk-stack.userPoolClientId = 4l5tsda2iu8lqugl73m8hgeb83
cdk-stack.userPoolId = us-east-1_bVwFsBUGO
Stack ARN:
arn:aws:cloudformation:us-east-1:XXXXXXXXXX:stack/cdk-stack/faf43800-9878-11ed-a070-0aacc64c8662

输出
bash
Outputs:
cdk-stack.apiUrl = https://du7jfr.execute-api.us-east-1.amazonaws.com/
cdk-stack.region = us-east-1
cdk-stack.userPoolClientId = 4l5tsda2iu8lqugl73m8hgeb83
cdk-stack.userPoolId = us-east-1_bVwFsBUGO
Stack ARN:
arn:aws:cloudformation:us-east-1:XXXXXXXXXX:stack/cdk-stack/faf43800-9878-11ed-a070-0aacc64c8662

输出包含 API Gateway 基本 URL、区域以及用于身份验证的 Cognito 客户端 ID 和用户池 ID。

5. 清理

以下将删除该函数，如果不再需要。

bash
npx aws-cdk destroy

bash
npx aws-cdk destroy

Lambda角色

CDK创建了一个名为remotionLambdaServerlessRole的IAM角色，需要Remotion策略设置。

测试您的端点

API由Cognito保护，需要授权令牌。

为了测试，您需要执行以下步骤，以防您还没有前端。

1. 创建Cognito用户

bash
aws cognito-idp sign-up \
  --client-id YOUR_USER_POOL_CLIENT_ID \
  --username "sample@test.com" \
  --password "compLicat3d123"

bash
aws cognito-idp sign-up \
  --client-id YOUR_USER_POOL_CLIENT_ID \
  --username "sample@test.com" \
  --password "compLicat3d123"

2. 确认用户以便他们可以登录

bash
aws cognito-idp admin-confirm-sign-up \
  --user-pool-id YOUR_USER_POOL_ID \
  --username "sample@test.com"

bash
aws cognito-idp admin-confirm-sign-up \
  --user-pool-id YOUR_USER_POOL_ID \
  --username "sample@test.com"

3. 登录用户以检索身份JWT令牌

bash
aws cognito-idp initiate-auth \
  --auth-flow USER_PASSWORD_AUTH \
  --auth-parameters \
  USERNAME="sample@test.com",PASSWORD="compLicat3d123" \
  --client-id YOUR_USER_POOL_CLIENT_ID

bash
aws cognito-idp initiate-auth \
  --auth-flow USER_PASSWORD_AUTH \
  --auth-parameters \
  USERNAME="sample@test.com",PASSWORD="compLicat3d123" \
  --client-id YOUR_USER_POOL_CLIENT_ID

YOUR_USER_POOL_CLIENT_ID和YOUR_USER_POOL_ID是CDK输出的一部分。

输出
bash
{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "AccessToken": "eyJraWQiOiJGcUJ....",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "RefreshToken": "eyJjdHkiOiJKV1QiLCJlbm...",
        "IdToken": "eyJraWQiOiJCcjY3Rk5WdzRpYVVYVlpNdF..."
    }
}

输出
bash
{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "AccessToken": "eyJraWQiOiJGcUJ....",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "RefreshToken": "eyJjdHkiOiJKV1QiLCJlbm...",
        "IdToken": "eyJraWQiOiJCcjY3Rk5WdzRpYVVYVlpNdF..."
    }
}

API将给您一个详细的响应，但只会使用IdToken。

4. 使用令牌使用curl调用端点的请求。

请求

bash
curl --location --request POST 'https://du7jfr6.execute-api.us-east-1.amazonaws.com/render' \
--header 'Authorization: Bearer eyJraWQiOiJGcUJFV1B1cHhxM0NXRko0RVN..........'

bash
curl --location --request POST 'https://du7jfr6.execute-api.us-east-1.amazonaws.com/render' \
--header 'Authorization: Bearer eyJraWQiOiJGcUJFV1B1cHhxM0NXRko0RVN..........'

响应

bash
{"message":"SUCCESS","bucketName":"remotionlambda-apsoutheast2-5essis84y1","renderId":"1pwhfhh11z"}

bash
{"message":"SUCCESS","bucketName":"remotionlambda-apsoutheast2-5essis84y1","renderId":"1pwhfhh11z"}

就是这样！现在您有一个可以用来调用视频渲染的API。

warning

重要提示：Lambda函数不应该对未经身份验证的用户可访问。
该函数使用CDK的第2版，仍在积极开发中。

下一步

自定义Lambda函数，以便渲染的视频将被移动到另一个目录。
尝试通过CDK code 分配Remotion 角色。
为Lambda函数添加请求参数作为renderMediaOnLambda()的输入参数。

先决条件​

设置​

1. 克隆或下载项目​

2. 安装依赖项​

3. 创建 CDK Stack​

4. 部署后​

5. 清理​

Lambda角色​

测试您的端点​

1. 创建Cognito用户​

2. 确认用户以便他们可以登录​

3. 登录用户以检索身份JWT令牌​

4. 使用令牌使用curl调用端点的请求。​

请求​

响应​

下一步​

参见​