无服务器 s3 访问被拒绝
serverless s3 AccessDenied
我在这个问题上花了好几个小时,却不明白为什么 Access Denied
这里是我对应的部分serverless.yml
provider:
name: aws
runtime: nodejs12.x
region: eu-central-1
environment:
STAGE: ${opt:stage, self:provider.stage}
iamRoleStatements:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
Resource:
- arn:aws:s3:::<bucket-1>/*
- arn:aws:s3:::<bucket-2>/*
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- arn:aws:s3:::<bucket-1>
- arn:aws:s3:::<bucket-2>
然后运行
return s3DataProvider.upload({
Bucket: store.bucket,
ACL: 'public-read',
Body: sm.toString(),
Key: `front/${process.env.STAGE}/sitemap.xml`,
ContentType: 'text/xml'
}).promise()
其中 store.bucket 是 <bucket-1> 或 <bucket-2>
我一直都有
ERROR AccessDenied: Access Denied
at Request.extractError (/var/task/node_modules/aws-sdk/lib/services/s3.js:837:35)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
code: 'AccessDenied',
region: null,
time: 2021-01-25T21:48:47.259Z,
requestId: '546A64CC9D503FA8',
extendedRequestId: 'hoRF0wDih8jRimR7Ew0ajMhgf4qQ88DCXjWM6bdd1CUsP+9OdpNkiXwZz1UFAK+s7L/clFH4U2c=',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 24.899574651815936
}
我不是 100% 确定,但我想您的设置 public-read 对象中缺少 s3:PutObjectAcl。
编辑:可能是安全的,也授予s3:GetObjectAcl。可以在这里找到很多讨论和类似问题:Getting Access Denied when calling the PutObject operation with bucket-level permission
我在这个问题上花了好几个小时,却不明白为什么 Access Denied
这里是我对应的部分serverless.yml
provider:
name: aws
runtime: nodejs12.x
region: eu-central-1
environment:
STAGE: ${opt:stage, self:provider.stage}
iamRoleStatements:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
Resource:
- arn:aws:s3:::<bucket-1>/*
- arn:aws:s3:::<bucket-2>/*
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- arn:aws:s3:::<bucket-1>
- arn:aws:s3:::<bucket-2>
然后运行
return s3DataProvider.upload({
Bucket: store.bucket,
ACL: 'public-read',
Body: sm.toString(),
Key: `front/${process.env.STAGE}/sitemap.xml`,
ContentType: 'text/xml'
}).promise()
其中 store.bucket 是 <bucket-1> 或 <bucket-2>
我一直都有
ERROR AccessDenied: Access Denied
at Request.extractError (/var/task/node_modules/aws-sdk/lib/services/s3.js:837:35)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
code: 'AccessDenied',
region: null,
time: 2021-01-25T21:48:47.259Z,
requestId: '546A64CC9D503FA8',
extendedRequestId: 'hoRF0wDih8jRimR7Ew0ajMhgf4qQ88DCXjWM6bdd1CUsP+9OdpNkiXwZz1UFAK+s7L/clFH4U2c=',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 24.899574651815936
}
我不是 100% 确定,但我想您的设置 public-read 对象中缺少 s3:PutObjectAcl。
编辑:可能是安全的,也授予s3:GetObjectAcl。可以在这里找到很多讨论和类似问题:Getting Access Denied when calling the PutObject operation with bucket-level permission