配置 AWS Lambda 以访问 S3 存储桶
Configuring AWS Lambda to access S3 Bucket
我无法弄清楚我在 AWS 中的 存储桶策略 有什么问题。尝试让 Lambda 函数访问和阅读来自 S3 存储桶的电子邮件。但我一直收到 "Access Denied"
请注意,我注意到电子邮件文件正在存储桶中创建。这是 存储桶策略 的最新版本:
{
"Version": "2012-10-17",
"Id": "Lambda access bucket policy",
"Statement": [
{
"Sid": "All on objects in bucket lambda",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[MY NUMBER]:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::[MY BUCKET NAME]/*"
}
]
}
我也试过 "Principal": {"Service": "ses.amazonaws.com"}, 唉
我不断收到 访问被拒绝:
2017-09-17T14:12:14.231Z 10664101-9bb2-11e7-ad43-539f3e1a8626
{
"errorMessage": "Access Denied",
"errorType": "AccessDenied",
"stackTrace": [
"Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:577:35)",
"Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:105:20)",
"Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)",
"Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)",
"Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
"AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
"/var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
"Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
"Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)",
"Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:115:18)"
]
}
这是我的 Lambda 函数:
var AWS = require('aws-sdk');
var s3 = new AWS.S3();
var bucketName = '[MY BUCKET NAME]';
exports.handler = function(event, context, callback) {
console.log('Process email');
var sesNotification = event.Records[0].ses;
if(!sesNotification) {
callback(null, null);
return;
}
console.log("SES Notification:\n", JSON.stringify(sesNotification, null, 2));
// Retrieve the email from your bucket
s3.getObject({
Bucket: bucketName,
Key: sesNotification.mail.messageId
}, function(err, data) {
if (err) {
console.log(err, err.stack);
callback(err);
} else {
console.log("Raw email:\n" + data.Body);
// Custom email processing goes here
callback(null, null);
}
});
};
经过长时间和多个版本的 存储桶策略 我正在考虑尝试另一种解决方案并放弃 AWS。
有什么想法吗?
您需要创建一个 IAM 角色并将其附加到具有 S3FullAccess 策略或对特定存储桶和操作具有细粒度权限的 Lambda 函数(推荐)。
还要确保将信任关系配置添加到角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
}
}
]
}
注意:在您当前的设置中,您似乎已经配置了向 root 用户授予读取访问权限的存储桶策略。
我无法弄清楚我在 AWS 中的 存储桶策略 有什么问题。尝试让 Lambda 函数访问和阅读来自 S3 存储桶的电子邮件。但我一直收到 "Access Denied"
请注意,我注意到电子邮件文件正在存储桶中创建。这是 存储桶策略 的最新版本:
{
"Version": "2012-10-17",
"Id": "Lambda access bucket policy",
"Statement": [
{
"Sid": "All on objects in bucket lambda",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[MY NUMBER]:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::[MY BUCKET NAME]/*"
}
]
}
我也试过 "Principal": {"Service": "ses.amazonaws.com"}, 唉
我不断收到 访问被拒绝:
2017-09-17T14:12:14.231Z 10664101-9bb2-11e7-ad43-539f3e1a8626
{
"errorMessage": "Access Denied",
"errorType": "AccessDenied",
"stackTrace": [
"Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:577:35)",
"Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:105:20)",
"Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)",
"Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)",
"Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
"AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
"/var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
"Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
"Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)",
"Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:115:18)"
]
}
这是我的 Lambda 函数:
var AWS = require('aws-sdk');
var s3 = new AWS.S3();
var bucketName = '[MY BUCKET NAME]';
exports.handler = function(event, context, callback) {
console.log('Process email');
var sesNotification = event.Records[0].ses;
if(!sesNotification) {
callback(null, null);
return;
}
console.log("SES Notification:\n", JSON.stringify(sesNotification, null, 2));
// Retrieve the email from your bucket
s3.getObject({
Bucket: bucketName,
Key: sesNotification.mail.messageId
}, function(err, data) {
if (err) {
console.log(err, err.stack);
callback(err);
} else {
console.log("Raw email:\n" + data.Body);
// Custom email processing goes here
callback(null, null);
}
});
};
经过长时间和多个版本的 存储桶策略 我正在考虑尝试另一种解决方案并放弃 AWS。
有什么想法吗?
您需要创建一个 IAM 角色并将其附加到具有 S3FullAccess 策略或对特定存储桶和操作具有细粒度权限的 Lambda 函数(推荐)。
还要确保将信任关系配置添加到角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
}
}
]
}
注意:在您当前的设置中,您似乎已经配置了向 root 用户授予读取访问权限的存储桶策略。