Fig*_*Out 12 amazon-s3 amazon-web-services aws-sdk aws-lambda
我对使用AWS策略生成器创建的S3存储桶具有以下策略,以允许以特定角色运行的lambda访问存储桶中的文件.但是,当我执行Lambda时,我获得403权限被拒绝:
"errorMessage": "Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: <requestId>)",
"errorType": "com.amazonaws.services.s3.model.AmazonS3Exception",
S3存储桶的策略:
{
"Version": "2012-10-17",
"Id": "Policy<number>",
"Statement": [
{
"Sid": "Stmt<number>",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account>:role/<roleName>"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucketName>/*"
}
]
}
这个政策有什么问题?Lamba正在使用策略中配置的角色运行.
Joh*_*ein 18
分配给AWS Lambda函数的角色应创建为AWS Lambda角色(在IAM控制台中创建角色时选择).
角色没有Principal,因为权限被分配给使用该角色的任何服务(在本例中,Lambda函数).
此外,您应该为存储桶本身(例如列出内容)和存储桶的内容(例如,GetObject)分配权限.
它会是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123XXX:role/service-role/LAMBDA_ROLE_NAME"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
在为我循环后,虽然我可以使其工作,但过程是:
IAM政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt*******",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::<bucket-name>"
]
}
]
}
我在s3存储桶上使用了此策略
{
"Id": "Policy************",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt********",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Principal": {
"AWS": [
"arn:aws:iam::*********:role/<lambda-function-name>"
]
}
}
]
}
| 归档时间: |
|
| 查看次数: |
16680 次 |
| 最近记录: |