权限
本文件描述了 Remotion Lambda 所需的权限,并向相关人员解释了这些权限为何必需。
🌐 This document describes the necessary permissions for Remotion Lambda and explains to those interested why the permissions are necessary.
有关如何设置权限的分步指南,请参阅设置指南。
🌐 For a step by step guide on how to set up permissions, follow the setup guide.
用户权限
🌐 User permissions
此策略应分配给 AWS 用户。为此,请前往 AWS 控制台 ➞ IAM ➞ 用户 ➞ 你创建的 Remotion 用户 ➞ 权限选项卡 ➞ 添加内联策略 ➞ JSON。
🌐 This policy should be assigned to the AWS user. To do so, go to the AWS console ➞ IAM ➞ Users ➞ Your created Remotion user ➞ Permissions tab ➞ Add inline policy ➞ JSON.
显示最新 Remotion Lambda 版本的完整用户权限 JSON 文件
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "HandleQuotas",
"Effect": "Allow",
"Action": [
"servicequotas:GetServiceQuota",
"servicequotas:GetAWSDefaultServiceQuota",
"servicequotas:RequestServiceQuotaIncrease",
"servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota"
],
"Resource": [
"*"
]
},
{
"Sid": "PermissionValidation",
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"*"
]
},
{
"Sid": "LambdaInvokation",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/remotion-lambda-role"
]
},
{
"Sid": "Storage",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutBucketAcl",
"s3:DeleteBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketPolicy",
"s3:PutLifecycleConfiguration"
],
"Resource": [
"arn:aws:s3:::remotionlambda-*"
]
},
{
"Sid": "BucketListing",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Sid": "FunctionListing",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:GetFunction"
],
"Resource": [
"*"
]
},
{
"Sid": "FunctionManagement",
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:PutFunctionEventInvokeConfig",
"lambda:PutRuntimeManagementConfig",
"lambda:TagResource"
],
"Resource": [
"arn:aws:lambda:*:*:function:remotion-render-*"
]
},
{
"Sid": "LogsRetention",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*"
]
},
{
"Sid": "FetchBinaries",
"Effect": "Allow",
"Action": [
"lambda:GetLayerVersion"
],
"Resource": [
"arn:aws:lambda:*:678892195805:layer:remotion-binaries-*",
"arn:aws:lambda:*:580247275435:layer:LambdaInsightsExtension*"
]
}
]
}你可以通过输入 npx remotion lambda policies user 来获取适合你 Remotion Lambda 版本的许可文件。
角色权限
🌐 Role permissions
此策略应分配给你 AWS 账户中的 角色 remotion-lambda-role。以下权限授予 Lambda 函数本身。
🌐 This policy should be assigned to the role remotion-lambda-role in your AWS account. The permissions below are given to the Lambda function itself.
要分配,请转到 AWS 控制台 ➞ IAM ➞ 角色 ➞ remotion-lambda-role ➞ 权限标签 ➞ 添加内联策略。
🌐 To assign, go to AWS console ➞ IAM ➞ Roles ➞ remotion-lambda-role ➞ Permissions tab ➞ Add inline policy.
显示最新 Remotion Lambda 版本的完整角色权限 JSON 文件
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "0",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::remotionlambda-*"
]
},
{
"Sid": "2",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:remotion-render-*"
]
},
{
"Sid": "3",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda-insights"
]
},
{
"Sid": "4",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*",
"arn:aws:logs:*:*:log-group:/aws/lambda-insights:*"
]
}
]
}你可以通过输入 npx remotion lambda policies role 来获取适合你 Remotion Lambda 版本的许可文件。
验证
🌐 Validation
有两种方法可以测试用户权限是否已正确设置。要么你执行以下命令:
🌐 There are two ways in which you can test if the permissions for the user have been correctly set up. Either you execute the following command:
npx remotion lambda policies validate或者如果你想以编程方式验证它,可以使用 simulatePermissions() 函数。
🌐 or if you want to validate it programmatically, using the simulatePermissions() function.
该角色的策略无法验证。
解释
🌐 Explanation
下表是 Remotion Lambda 需要这些权限的原因的详细说明。
🌐 The following table is a breakdown of why Remotion Lambda requires the permissions it does.
用户政策
🌐 User policies
Permission | Scope | Reason |
|---|---|---|
iam:SimulatePrincipalPolicy | * | Allows for |
iam:PassRole | arn:aws:iam::*:role/remotion-lambda-role | Allows the Lambda function to assume a role with sufficient permissions. |
s3:GetObjects3:DeleteObjects3:PutObjectAcls3:PutObjects3:CreateBuckets3:ListBuckets3:GetBucketLocations3:PutBucketAcls3:DeleteBuckets3:PutBucketOwnershipControlss3:PutBucketPublicAccessBlocks3:PutBucketPolicy | arn:aws:s3:::remotionlambda-* | Allows to create and delete buckets and objects in your account, make objects public and configure them as websites. Only buckets that start with |
s3:ListAllMyBuckets | arn:aws:s3:::* | Allows listing the names of all buckets in your account, in order to detect an already existing Remotion bucket. |
lambda:GetLayerVersion | arn:aws:lambda:*:678892195805:layer:remotion-binaries-* | Allows to read Chromium and FFMPEG binaries. These binaries are hosted in an account hosted by Remotion specifically dedicated to hosting those layers in all supported regions. |
lambda:ListFunctionslambda:GetFunction | * | Allows to read the functions in your AWS account in order to find the correct function to invoke. The loose |
lambda:InvokeAsynclambda:InvokeFunctionlambda:DeleteFunctionlambda:PutFunctionEventInvokeConfiglambda:CreateFunctionlambda:PutRuntimeManagementConfiglambda:TagResource | arn:aws:lambda:*:*:function:remotion-render-* | Allows to create, delete, invoke and configure functions (such as disabling automatic retries). Used by the CLI and the Node.JS APIS to set up, execute and teardown the infrastructure. |
logs:CreateLogGrouplogs:PutRetentionPolicy | arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-* | Allows to create CloudWatch group, so logs can be saved in there later. Simplifies debugging. |
servicequotas:GetServiceQuotaservicequotas:GetAWSDefaultServiceQuotaservicequotas:RequestServiceQuotaIncreaseservicequotas:ListRequestedServiceQuotaChangeHistoryByQuota | * | Powers the |
角色策略
🌐 Role policies
Permission | Scope | Reason |
|---|---|---|
s3.ListAllMyBuckets | * | Get a list of Remotion buckets in order to find existing buckets that start with |
s3:CreateBuckets3:ListBuckets3:PutBucketAcls3:GetObjects3:DeleteObjects3:PutObjectAcls3:PutObjects3:GetBucketLocation | arn:aws:s3:::remotionlambda-* | Create and delete buckets and items, make them public or private and fetch their location. Since Remotion stores the videos in an S3 bucket, it needs basic CRUD capabilities over those buckets. The permission only applies to buckets that start with |
lambda:InvokeFunction | arn:aws:lambda:*:*:function:remotion-render* | Allow the function to recursively invoke itself. A render involves multiple function calls, which is to be orchestrated by the first function call. |
lambda:CreateLogStreamlambda:PutLogEvents | arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render* | 允许将函数日志写入 CloudWatch,以便更轻松地进行调试。 |
另请参阅
🌐 See also