在 Lambda 中使用 IAM 角色
如 Permissions page 所记录,使用 Remotion Lambda 的默认方法涉及创建一个 Remotion 用户并为其分配策略。
🌐 As documented on the Permissions page, the default way of using Remotion Lambda involves creating a Remotion user and assign it policies.
这些策略允许 Lambda 使用 renderMediaOnLambda() 渲染视频。这些凭证被认为是长期的,安全性较低,并且在一些公司中是不允许使用的。
🌐 These policies give permission to Lambda to render a video with renderMediaOnLambda(). These credentials are considered long-term which is less secure and are disallowed in some companies.
此外,可能需要在诸如 Lambda、EC2 以及其他 computing services 的服务上执行 renderMediaOnLambda(),在这些服务上使用长期凭证不可行。
🌐 Additionally, there might be requirements to execute renderMediaOnLambda() on services such as Lambda, EC2, and other computing services where the use of long-term credentials is not an option.
AWS 提供了 IAM 角色 的概念,作为上述问题的解决方案。当一个角色被分配给 AWS 服务时,AWS 会根据附加的策略授予任何提升的权限,并且该角色有权执行诸如将文件放入 S3 存储桶等活动。
🌐 AWS offers the concept of IAM Roles as a solution to the problem above. When a role is assigned to an AWS service, AWS gives any elevated privileges based on the attached policies and the role is empowered to execute activities such as putting a file to an S3 bucket.
该角色会被赋予临时的 AWS 凭证,例如 AWS_ACCESS_KEY_ID、AWS_SECRET_ACCESS_KEY 和 AWS_SESSION_TOKEN 来生成视频。这种方法提升了安全性,因为不会存在长期凭证,并且无需跟踪其轮换情况。
🌐 The role is given temporary AWS credentials such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN to generate the video. This approach enhances security as there are no long-term credentials lingering around and the need to keep track of their rotation is eliminated.
以下步骤为 Lambda 函数执行 renderMediaOnLambda() 提供授权,确保不会出现权限问题。
🌐 The steps below provide authorization for the Lambda function to execute renderMediaOnLambda() without permission issues.
先决条件
🌐 Prerequisites
- 一个部署在 AWS 上的 Lambda 函数。使用
CDK的示例可在here获取。它向你展示了如何在另一个 Lambda 函数中调用renderMediaOnLambda()。该函数由 API Gateway 触发。示例假设你具备使用CDK的知识,也提供了一篇 说明文。 - 分配给 Lambda 函数的执行角色。
- 包含必要用户权限的用户策略。
设置
🌐 Setup
1. 创建角色策略
🌐 1. Create role policy
- 在 AWS 管理控制台中转到 IAM 策略部分
- 点击“创建策略”
- 点击 JSON
- 复制下面的 JSON 策略模板:
显示最新 Remotion Lambda 版本的完整角色权限 JSON 文件
{ "Version": "2012-10-17", "Statement": [ { "Sid": "HandleQuotas", "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota", "servicequotas:GetAWSDefaultServiceQuota", "servicequotas:RequestServiceQuotaIncrease", "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota" ], "Resource": [ "*" ] }, { "Sid": "PermissionValidation", "Effect": "Allow", "Action": [ "iam:SimulatePrincipalPolicy" ], "Resource": [ "*" ] }, { "Sid": "LambdaInvokation", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/remotion-lambda-role" ] }, { "Sid": "Storage", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:DeleteObject", "s3:PutObjectAcl", "s3:PutObject", "s3:CreateBucket", "s3:ListBucket", "s3:GetBucketLocation", "s3:PutBucketAcl", "s3:DeleteBucket", "s3:PutBucketOwnershipControls", "s3:PutBucketPublicAccessBlock", "s3:PutBucketPolicy", "s3:PutLifecycleConfiguration" ], "Resource": [ "arn:aws:s3:::remotionlambda-*" ] }, { "Sid": "BucketListing", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": [ "*" ] }, { "Sid": "FunctionListing", "Effect": "Allow", "Action": [ "lambda:ListFunctions", "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Sid": "FunctionManagement", "Effect": "Allow", "Action": [ "lambda:InvokeAsync", "lambda:InvokeFunction", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:PutFunctionEventInvokeConfig", "lambda:PutRuntimeManagementConfig", "lambda:TagResource" ], "Resource": [ "arn:aws:lambda:*:*:function:remotion-render-*" ] }, { "Sid": "LogsRetention", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*" ] }, { "Sid": "FetchBinaries", "Effect": "Allow", "Action": [ "lambda:GetLayerVersion" ], "Resource": [ "arn:aws:lambda:*:678892195805:layer:remotion-binaries-*", "arn:aws:lambda:*:580247275435:layer:LambdaInsightsExtension*" ] } ] } - 点击下一步。在标签页面上,你不需要填写任何内容。再次点击下一步。
- 将策略命名为
remotion-executionrole-policy。其他字段可以保持不变。
2. 将策略分配给 Lambda 执行角色
🌐 2. Assign the policy to the Lambda execution role
- 前往 AWS 管理控制台
- 导航到 Lambda(更改为你的函数所在区域)
- 选择 功能
- 选择你的 Lambda 函数
- 选择“配置”选项卡
- 选择“权限”标签
- 点击
Execution role下的角色 - 重定向后,点击“权限”选项卡
- 点击
Add permissions - 附加政策
- 找到政策,即
remotion-executionrole-policy - 选择政策
- 点击
Attach policies按钮。
通过将 policy 分配给 Lambda 执行角色,它现在有权限执行 renderMediaOnLambda() API,而不会出现权限问题。
🌐 With the assignment of the policy to the Lambda execution role, it is now empowered to execute the renderMediaOnLambda() API without permission issues.
在后台,当 Lambda 函数执行时,它会被提供环境变量,例如 AWS_ACCESS_KEY_ID、AWS_SECRET_ACCESS_KEY 和 AWS_SESSION_TOKEN,这些变量具有对 renderMediaOnLambda() 渲染视频所需的 AWS 资源的临时权限。提升的权限来源于 remotion-executionrole-policy 中的策略声明。
🌐 In the background, when the Lambda function is executed, it is provided with environment variables such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN that has temporary permission to AWS resources that renderMediaOnLambda() requires to render the video. The elevated powers come from the policy statements in remotion-executionrole-policy.
此操作也可以应用于其他 AWS 计算服务,例如 EC2、Fargate 等。
渲染到不同的桶
🌐 Render into a different bucket
可选地,如果你想在视频渲染完成后将其移动到另一个 S3 存储桶,Lambda 函数也需要有权限执行此操作。这个过程与之前的步骤类似,但你需要创建一个新的策略声明,定义 Lambda 需要将渲染的视频传输到的存储桶。
🌐 Optionally, if you want to move the video to another S3 bucket after it is rendered, the Lambda function also needs permission to do so. The process is similar to the previous steps, but you will need to create a new policy statement that defines the bucket that Lambda needs to transfer the rendered video to.
示例
🌐 Example
使用 outName 属性选择不同的存储桶。参见:自定义输出目标
🌐 Use the outName property to select a different bucket. See: Custom output destination
my-function.tsimport {renderMediaOnLambda } from '@remotion/lambda/client'; const {bucketName ,renderId } = awaitrenderMediaOnLambda ({region : 'us-east-1',functionName : 'remotion-render-bds9aab',composition : 'MyVideo',serveUrl : 'https://remotionlambda-qg35eyp1s1.s3.eu-central-1.amazonaws.com/sites/bf2jrbfkw',codec : 'h264',outName : {key : 'my-output',bucketName : 'output-bucket', }, });
在上面的示例中,renderMediaOnLambda() 配置为将渲染后的视频输出到 transfer-to-this-bucket-after-render 存储桶。以下步骤允许 Lambda 将文件移动到另一个存储桶。
🌐 In the example above, the renderMediaOnLambda() is configured to output the rendered video to transfer-to-this-bucket-after-render bucket. The following steps allow Lambda to move the file to another bucket.
步骤
🌐 Steps
- 再次将策略分配给 Lambda 执行角色。前往 AWS 管理控制台 并执行以下操作:
- 导航到 Lambda(更改为你的函数所在区域)
- 功能
- 选择你的 Lambda 函数
- 配置选项卡
- 权限标签
- 点击
Execution role下的角色 - 被重定向后,点击“权限”标签
- 点击
Add permissions - 点击“创建内联策略”
- 点击“JSON”标签
添加一个类似下面的策略声明,用于定义 Lambda 需要将渲染后的视频传输到的桶。
🌐 Add a policy statement similar to the one below, which is defining the bucket Lambda needs to transfer the rendered video to.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:PutObject"],
"Resource": ["arn:aws:s3:::{bucketname}", "arn:aws:s3:::{bucketname}/*"],
"Effect": "Allow"
}
]
}- 将
{bucketname}替换为你想要将渲染视频移动到的存储桶的名称。 - 点击
Review policy - 点击
Save changes
当渲染过程完成时,Lambda 函数现在可以将渲染的视频移动到另一个存储桶。
🌐 The Lambda function can now move the rendered video to the other bucket when the render process is completed.
另请参阅
🌐 See also