无服务器 AWS (Python) 从 S3 读取：访问被拒绝

Question

我的 lambda 函数（FrameWork 无服务器）对 AWS 中的 S3 服务的 getObject 访问有问题。 这是我的代码示例：

import boto3
import csv
def hello(event, context):
    s3 = boto3.resource('s3')
    bucket = s3.Bucket('myBucket')
    obj = bucket.Object(key='MOCK_DATA.csv')
    response = obj.get()
    lines = response['Body'].read().split()
    body = []
    for row in csv.DictReader(lines):
        body.append(row)
    return body

并且在我的 serverless.yml 中，我授予了我的 lambda 对存储桶的完全访问权限

  iamRoleStatements:
   - Effect: "Allow"
     Action:
       - "s3:*"
     Resource:
         - "arn:aws:s3:::myBucket"

但是当我 运行 代码时，我收到错误：

START RequestId: a6c006b7-21e5-11e8-8193-c3378825927 Version: $LATEST
An error occurred (AccessDenied) when calling the GetObject operation: Access Denied: ClientError
Traceback (most recent call last):
  File "/var/task/handler.py", line 5, in hello
    response = obj.get()
  File "/var/runtime/boto3/resources/factory.py", line 520, in do_action
    response = action(self, *args, **kwargs)
  File "/var/runtime/boto3/resources/action.py", line 83, in __call__
    response = getattr(parent.meta.client, operation_name)(**params)
  File "/var/runtime/botocore/client.py", line 317, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 615, in _make_api_call
    raise error_class(parsed_response, operation_name)
ClientError: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

您知道为什么 boto3 不接受 iam 角色的许可吗？ 因为它只有在我用私钥和访问密钥声明 boto3 时才有效：

s3 = boto3.resource('s3',aws_access_key_id='accesskey',aws_secret_access_key='privateKey')

提前致谢

Answer 1

对于 s3:GetObject 这样的操作，资源应该是 arn:aws:s3:::myBucket/*。您缺少结尾的 /*.