为什么我的 lambda 函数在尝试访问 S3 存储桶时会被拒绝访问？

Question

为什么我的 lambda 函数在尝试访问 S3 存储桶时会被拒绝访问？

glu*_*utz 5 amazon-s3 amazon-web-services aws-lambda

Lambda 执行角色对 51 个函数具有 s3 访问权限，包括 ListBuckets 和所有其他读取操作。
我的 S3 存储桶有一个允许 lambda 角色访问的策略。（无论如何它都在同一个帐户中，所以我认为这不是必需的）。
我什至只是为了好玩而将存储桶公开访问。

这是 lambda 代码。我不确定为什么bucket.objects.all()无法访问s3。

导入 json 导入 boto3 s3 = boto3.resource('s3')

def lambda_handler(事件, 上下文): 打印(事件)

message = 'Hello {}!'.format(event['Records'][0]['s3']['bucket']['name'])  
print(message)
bucket = s3.Bucket('my-bucketname-demo')
# this works
print(bucket.creation_date)

# this fails on access denied
# Iterates through all the objects, doing the pagination for you. Each obj
# is an ObjectSummary, so it doesn't contain the body. You'll need to call
# get to get the whole body.
for obj in bucket.objects.all():
    key = obj.key
    body = obj.get()['Body'].read()
    print(key)
    print(body)
    
return {
    'statusCode': 200,
    'body': json.dumps('Hello from Lambda!')
}

Run Code Online (Sandbox Code Playgroud)

这是错误：[ERROR] ClientError：调用 ListObjects 操作时发生错误（AccessDenied）：访问被拒绝

Lambda 执行角色策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetLifecycleConfiguration",
                "s3:GetBucketTagging",
                "s3:GetInventoryConfiguration",
                "s3:GetObjectVersionTagging",
                "s3:ListBucketVersions",
                "s3:GetBucketLogging",
                "s3:ListBucket",
                "s3:GetAccelerateConfiguration",
                "s3:GetBucketPolicy",
                "s3:GetStorageLensConfigurationTagging",
                "s3:GetObjectVersionTorrent",
                "s3:GetObjectAcl",
                "s3:GetEncryptionConfiguration",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetIntelligentTieringConfiguration",
                "s3:GetBucketRequestPayment",
                "s3:GetAccessPointPolicyStatus",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetMetricsConfiguration",
                "s3:GetBucketOwnershipControls",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketPolicyStatus",
                "s3:ListBucketMultipartUploads",
                "s3:GetObjectRetention",
                "s3:GetBucketWebsite",
                "s3:GetJobTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketAcl",
                "s3:GetObjectLegalHold",
                "s3:GetBucketNotification",
                "s3:GetReplicationConfiguration",
                "s3:ListMultipartUploadParts",
                "s3:GetObject",
                "s3:GetStorageLensConfiguration",
                "s3:GetObjectTorrent",
                "s3:DescribeJob",
                "s3:GetBucketCORS",
                "s3:GetAnalyticsConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetBucketLocation",
                "s3:GetAccessPointPolicy",
                "s3:GetObjectVersion",
                "s3:GetStorageLensDashboard"
            ],
            "Resource": "arn:aws:s3:::my-bucket-demo/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListStorageLensConfigurations",
                "s3:GetAccessPoint",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:ListAccessPoints",
                "s3:ListJobs",
                "s3:ListObjects"
            ],
            "Resource": "*"
        }
    ]
}

Run Code Online (Sandbox Code Playgroud)

Answer 1

Mar*_*cin 8

您当前的资源仅arn:aws:s3:::my-bucket-demo/*代表. 随后，任何与存储桶相关的操作（例如）都不适用。您应该将存储桶资源“arn:aws:s3:::my-bucket-demo”添加到您的策略中：my-bucket-demoListBucket

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetLifecycleConfiguration", "s3:GetBucketTagging", "s3:GetInventoryConfiguration", "s3:GetObjectVersionTagging", "s3:ListBucketVersions", "s3:GetBucketLogging", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketPolicy", "s3:GetStorageLensConfigurationTagging", "s3:GetObjectVersionTorrent", "s3:GetObjectAcl", "s3:GetEncryptionConfiguration", "s3:GetBucketObjectLockConfiguration", "s3:GetIntelligentTieringConfiguration", "s3:GetBucketRequestPayment", "s3:GetAccessPointPolicyStatus", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "s3:GetBucketOwnershipControls", "s3:GetBucketPublicAccessBlock", "s3:GetBucketPolicyStatus", "s3:ListBucketMultipartUploads", "s3:GetObjectRetention", "s3:GetBucketWebsite", "s3:GetJobTagging", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:GetObjectLegalHold", "s3:GetBucketNotification", "s3:GetReplicationConfiguration", "s3:ListMultipartUploadParts", "s3:GetObject", "s3:GetStorageLensConfiguration", "s3:GetObjectTorrent", "s3:DescribeJob", "s3:GetBucketCORS", "s3:GetAnalyticsConfiguration", "s3:GetObjectVersionForReplication", "s3:GetBucketLocation", "s3:GetAccessPointPolicy", "s3:GetObjectVersion", "s3:GetStorageLensDashboard" ], "Resource": ["arn:aws:s3:::my-bucket-demo", "arn:aws:s3:::my-bucket-demo/*"] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:ListStorageLensConfigurations", "s3:GetAccessPoint", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:ListAccessPoints", "s3:ListJobs", "s3:ListObjects" ], "Resource": "*" } ] }
Run Code Online (Sandbox Code Playgroud)

归档时间：	4 年，9 月前
查看次数：	9714 次
最近记录：	4 年，4 月前