iCo*_*unk 7 amazon-s3 amazon-web-services aws-lambda serverless-framework
我确定我已经将我的Lambda设置为具有对私有桶的读/写访问权限; 更具体地说,我的lambda将执行s3.headObject和s3.upload.为了让这个工作,我错过了什么?
我的Lambda的政策:
{
"Statement": [
{
"Resource": "arn:aws:logs:us-east-1:*:*",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow"
},
{
"Resource": "arn:aws:s3:::PRIVATE_BUCKET/folder_name/*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
我的S3存储策略:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Bucket that is read-accessible internally",
"Parameters" : {
"Environment" : {
"Description" : "dev",
"Type" : "String",
"Default" : "dev",
"AllowedValues" : [ "dev" ]
}
},
"Resources" : {
"PrivateBucket" : {
"Type" : "AWS::S3::Bucket",
"DeletionPolicy" : "Retain",
},
"PrivateBucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "Make anonymous read-only access available on certain networks",
"Statement" : [
{
"Sid" : "IPAllow",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [
"s3:ListBucket",
"s3:GetObject"
],
"Resource" : [
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "PrivateBucket" } ] ] },
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "PrivateBucket" }, "/*" ] ] }
],
"Condition" : {
"IpAddress" : {
"aws:SourceIp" : [
"ip/cid/r",
"ip/cid/r",
"ip/cid/r",
"ip/cid/r",
"ip/cid/r"
]
}
}
}
]
},
"Bucket" : { "Ref" : "PrivateBucket" }
}
}
}
}
请参阅doc http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectHEAD.html
如果您对存储桶具有s3:ListBucket权限,则Amazon S3将返回HTTP状态代码404("无此键")错误.
如果您没有s3:ListBucket权限,Amazon S3将返回HTTP状态代码403("访问被拒绝")错误.
我的代码试图在一个不存在的项目上运行headobject; 所以我得到的错误是"禁止",这是正确的,因为我没有sb桶和lambda的listbucket权限......
| 归档时间: |
|
| 查看次数: |
4345 次 |
| 最近记录: |