Gra*_*r98 3 amazon-s3 amazon-web-services amazon-cloudfront aws-lambda
我有一个 s3 存储桶作为 cloudfront 的起源。该存储桶已阻止所有公共访问。我创建了一个 lambda 函数来下载、处理和上传 s3 对象。我为 lambda 创建了一个角色并添加了一个非公共政策,根据亚马逊资源公共的含义..这是政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3LambdaAccessObject",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYYY_conversor"
}
}
},
{
"Sid": "S3LambdaListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYY_conversor"
}
}
}
但是,当我尝试通过 sdk 下载文件并将其上传到 s3 时,我得到了访问被拒绝的代码。我什至已将 lamnda 添加到 s3 策略中,但仍然没有结果:
{
"Version": "2012-10-17",
"Id": "aws_iam_policy_document_origin",
"Statement": [
{
"Sid": "S3GetObjectForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*"
},
{
"Sid": "S3ListBucketForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin"
},
{
"Sid": "S3PutObjectForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": [
"s3:PutObjectVersionAcl",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/private/*"
},
{
"Sid": "S3LambdaAccessObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
}
}
},
{
"Sid": "S3LambdaListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
}
}
}
]
}
]
}
如果删除了公共访问阻止,则 lambda 可以正常工作。我做错了什么?
Lambda 函数 Arn 的白名单将不起作用,因为 Lambda 函数使用其 Lambda 角色进行连接以执行任何这些交互。
相反,您需要将您的 Lambda 附加到它的 IAM 角色列入白名单。这是通过使用 IAM 角色 Arn 的 Principal 来完成的。
您仍需要确保 IAM 角色包含额外访问 S3 所需的权限。
| 归档时间: |
|
| 查看次数: |
313 次 |
| 最近记录: |