Lambda 權限設定
說明 Remotion Lambda 所需的 IAM 使用者權限與角色權限,包含完整的 JSON 政策範例與驗證方式。
概覽
本文說明 Remotion Lambda 所需的必要權限,並解釋這些權限的用途。Remotion Lambda 需要兩種類型的政策:使用者政策與角色政策。
使用者政策
使用者政策應指派給你在 AWS 帳戶中用來呼叫 Remotion Lambda API 的 IAM 使用者。你可以在終端機執行以下指令取得最新的政策 JSON:
npx remotion lambda policies user以下為使用者政策的完整 JSON 範例(適用於最新版本的 Remotion Lambda):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "HandleQuotas",
"Effect": "Allow",
"Action": [
"servicequotas:GetServiceQuota",
"servicequotas:GetAWSDefaultServiceQuota",
"servicequotas:RequestServiceQuotaIncrease",
"servicequotas:ListRequestedServiceQuotaChangesByService"
],
"Resource": ["*"]
},
{
"Sid": "PermissionValidation",
"Effect": "Allow",
"Action": ["iam:SimulatePrincipalPolicy"],
"Resource": ["*"]
},
{
"Sid": "LambdaInvokation",
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": [
"arn:aws:iam::*:role/remotion-lambda-role"
]
},
{
"Sid": "Storage",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutBucketAcl",
"s3:DeleteBucket",
"s3:PutLifecycleConfiguration",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock"
],
"Resource": ["arn:aws:s3:::remotionlambda-*"]
},
{
"Sid": "BucketListing",
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": ["*"]
},
{
"Sid": "FunctionListing",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:GetFunction"
],
"Resource": ["*"]
},
{
"Sid": "FunctionManagement",
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:PutFunctionEventInvokeConfig",
"lambda:PutRuntimeManagementConfig",
"lambda:TagResource"
],
"Resource": [
"arn:aws:lambda:*:*:function:remotion-render-*"
]
},
{
"Sid": "LogsRetention",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*"
]
},
{
"Sid": "FetchBinaries",
"Effect": "Allow",
"Action": ["lambda:GetLayerVersion"],
"Resource": [
"arn:aws:lambda:*:678892195805:layer:remotion-binaries-*",
"arn:aws:lambda:*:580247275435:layer:LambdaInsightsExtension*"
]
}
]
}角色政策
角色政策應指派給 AWS 帳戶中的 remotion-lambda-role 角色。這些權限是授予 Lambda 函式本身使用的。
前往 AWS 控制台 → IAM → 角色 → remotion-lambda-role → 權限分頁 → 新增內嵌政策,貼入以下內容:
npx remotion lambda policies role完整角色政策 JSON 範例:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "0",
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": ["*"]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:GetBucketLocation"
],
"Resource": ["arn:aws:s3:::remotionlambda-*"]
},
{
"Sid": "2",
"Effect": "Allow",
"Action": ["lambda:InvokeFunction"],
"Resource": [
"arn:aws:lambda:*:*:function:remotion-render-*"
]
},
{
"Sid": "3",
"Effect": "Allow",
"Action": ["logs:CreateLogGroup"],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda-insights"
]
},
{
"Sid": "4",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/remotion-render-*",
"arn:aws:logs:*:*:log-group:/aws/lambda-insights:*"
]
}
]
}驗證權限設定
設定完成後,執行以下指令驗證權限是否正確:
npx remotion lambda policies validate此指令會透過 AWS Policy Simulator 檢查所有使用者權限並回報結果。
權限說明
| 類別 | 用途 |
|---|---|
| S3 權限 | 建立儲存桶、上傳渲染結果、讀取 Serve URL 檔案 |
| Lambda 權限 | 部署與呼叫渲染函式 |
| IAM PassRole | 讓使用者能將角色傳遞給 Lambda 函式 |
| CloudWatch Logs | 記錄函式執行日誌,方便除錯 |
| Service Quotas | 查詢與申請增加並行限制 |
| GetLayerVersion | 取得 Remotion 提供的二進制層(Chrome、FFmpeg 等) |