为什么我的无服务器 Lambda 无法访问 S3 存储桶和项目?
Why my Serverless Lambda unable to access S3 bucket and items?
我确定我已将 Lambda 设置为 read/write 可以访问私有存储桶;更具体地说,我的 lambda 将执行 s3.headObject 和 s3.upload。我缺少什么才能让它工作?
我的 Lambda 策略:
{
"Statement": [
{
"Resource": "arn:aws:logs:us-east-1:*:*",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow"
},
{
"Resource": "arn:aws:s3:::PRIVATE_BUCKET/folder_name/*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
我的 S3 存储桶策略:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Bucket that is read-accessible internally",
"Parameters" : {
"Environment" : {
"Description" : "dev",
"Type" : "String",
"Default" : "dev",
"AllowedValues" : [ "dev" ]
}
},
"Resources" : {
"PrivateBucket" : {
"Type" : "AWS::S3::Bucket",
"DeletionPolicy" : "Retain",
},
"PrivateBucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "Make anonymous read-only access available on certain networks",
"Statement" : [
{
"Sid" : "IPAllow",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [
"s3:ListBucket",
"s3:GetObject"
],
"Resource" : [
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "PrivateBucket" } ] ] },
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "PrivateBucket" }, "/*" ] ] }
],
"Condition" : {
"IpAddress" : {
"aws:SourceIp" : [
"ip/cid/r",
"ip/cid/r",
"ip/cid/r",
"ip/cid/r",
"ip/cid/r"
]
}
}
}
]
},
"Bucket" : { "Ref" : "PrivateBucket" }
}
}
}
}
见文档 http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectHEAD.html
If you have the s3:ListBucket permission on the bucket, Amazon S3 will return a HTTP status code 404 ("no such key") error.
If you don’t have the s3:ListBucket permission, Amazon S3 will return a HTTP status code 403 ("access denied") error.
我的代码试图 运行 对一个不存在的项目进行 headobject;所以我得到的错误是“禁止的”,这是正确的,因为我没有 listbucket 对 s3 存储桶和 lambda 的许可...
我确定我已将 Lambda 设置为 read/write 可以访问私有存储桶;更具体地说,我的 lambda 将执行 s3.headObject 和 s3.upload。我缺少什么才能让它工作?
我的 Lambda 策略:
{
"Statement": [
{
"Resource": "arn:aws:logs:us-east-1:*:*",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow"
},
{
"Resource": "arn:aws:s3:::PRIVATE_BUCKET/folder_name/*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
我的 S3 存储桶策略:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Bucket that is read-accessible internally",
"Parameters" : {
"Environment" : {
"Description" : "dev",
"Type" : "String",
"Default" : "dev",
"AllowedValues" : [ "dev" ]
}
},
"Resources" : {
"PrivateBucket" : {
"Type" : "AWS::S3::Bucket",
"DeletionPolicy" : "Retain",
},
"PrivateBucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "Make anonymous read-only access available on certain networks",
"Statement" : [
{
"Sid" : "IPAllow",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [
"s3:ListBucket",
"s3:GetObject"
],
"Resource" : [
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "PrivateBucket" } ] ] },
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "PrivateBucket" }, "/*" ] ] }
],
"Condition" : {
"IpAddress" : {
"aws:SourceIp" : [
"ip/cid/r",
"ip/cid/r",
"ip/cid/r",
"ip/cid/r",
"ip/cid/r"
]
}
}
}
]
},
"Bucket" : { "Ref" : "PrivateBucket" }
}
}
}
}
见文档 http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectHEAD.html
If you have the s3:ListBucket permission on the bucket, Amazon S3 will return a HTTP status code 404 ("no such key") error.
If you don’t have the s3:ListBucket permission, Amazon S3 will return a HTTP status code 403 ("access denied") error.
我的代码试图 运行 对一个不存在的项目进行 headobject;所以我得到的错误是“禁止的”,这是正确的,因为我没有 listbucket 对 s3 存储桶和 lambda 的许可...