通过 Lambda 上传时的 S3 策略问题
S3 Policy Issue when uploading via Lambda
我正在使用 AWS Lambda 将文件上传到 S3 并使用命令
s3 = boto3.resource('s3')
s3.meta.client.upload_file("/tmp/" + fileName, [BUCKET NAME], fileName)
并且 Lambda 策略也定义为
{
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::[BUCKET NAME]",
"Effect": "Allow"
},
但是当我运行函数时它给出了错误
(<class 'boto3.exceptions.S3UploadFailedError'>,
S3UploadFailedError('Failed to upload /tmp/[FILE NAME] to [BUCKET
NAME]/[FILE NAME]: An error occurred (AccessDenied) when calling the
PutObject operation: Access Denied',), <traceback object at
0x7f61e9d2ec48>)
您是否与 lambda.amazonaws.com 建立了该角色的信任关系?
还有你的政策,应该像下面这样,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::[BUCKET NAME]/*"
}
]
}
我看到存储桶名称末尾缺少 /*。
参考文档:http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
你好像漏了
"/*"
在策略的资源中。对于对象级操作,资源应该是
"arn:aws:s3:::examplebucket/*".
另外请确保没有存储桶策略拒绝访问。
更多信息:
您还需要允许 ListBucket 策略才能以编程方式将对象放入 s3。
因此,您的保单将是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::BUCKET_NAME"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": ["arn:aws:s3:::BUCKET_NAME/*"]
}
]
}
我正在使用 AWS Lambda 将文件上传到 S3 并使用命令
s3 = boto3.resource('s3')
s3.meta.client.upload_file("/tmp/" + fileName, [BUCKET NAME], fileName)
并且 Lambda 策略也定义为
{
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::[BUCKET NAME]",
"Effect": "Allow"
},
但是当我运行函数时它给出了错误
(<class 'boto3.exceptions.S3UploadFailedError'>,
S3UploadFailedError('Failed to upload /tmp/[FILE NAME] to [BUCKET
NAME]/[FILE NAME]: An error occurred (AccessDenied) when calling the
PutObject operation: Access Denied',), <traceback object at
0x7f61e9d2ec48>)
您是否与 lambda.amazonaws.com 建立了该角色的信任关系?
还有你的政策,应该像下面这样,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::[BUCKET NAME]/*"
}
]
}
我看到存储桶名称末尾缺少 /*。
参考文档:http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
你好像漏了
"/*"
在策略的资源中。对于对象级操作,资源应该是
"arn:aws:s3:::examplebucket/*".
另外请确保没有存储桶策略拒绝访问。
更多信息:
您还需要允许 ListBucket 策略才能以编程方式将对象放入 s3。
因此,您的保单将是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::BUCKET_NAME"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": ["arn:aws:s3:::BUCKET_NAME/*"]
}
]
}