无服务器 s3 上传访问被拒绝
serverless s3 upload access denied
我正在尝试使用无服务器框架将图像上传到 S3 存储桶。当我在部署后调用端点时,代码因访问被拒绝错误而失败。我做错了什么?
使用'serverless logs -f fileDownload'的错误:
ERROR Unhandled Promise Rejection {"errorType":"Runtime.UnhandledPromiseRejection","errorMessage":"AccessDenied: Access Denied","reason":{"errorType":"AccessDenied","errorMessage":"Access Denied","code":"AccessDenied","message":"Access Denied","region":null,"time":"2020-05-08T14:06:11.767Z","requestId":"874D7C86A4C6BE45","extendedRequestId":"r8xyvcrK9su5c+slhX5L/uh4/Y/sdFnUgPcebHpSTNpbnf39EnAZJET750P8t0iXy8UR81SiYZc=","statusCode":403,"retryable":false,"retryDelay":17.606445772028543,"stack":
["AccessDenied: Access Denied"
," at Request.extractError (/var/task/node_modules/aws-sdk/lib/services/s3.js:835:35)"
," at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:106:20)"
," at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:78:10)"
," at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)"
," at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)"
," at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)"
," at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10"
," at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)"
," at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:685:12)"
," at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
]}
,"promise":{},"stack":
["Runtime.UnhandledPromiseRejection: AccessDenied: Access Denied"
," at process.<anonymous> (/var/runtime/index.js:35:15)"
," at process.emit (events.js:310:20)"
," at process.EventEmitter.emit (domain.js:482:12)"
," at processPromiseRejections (internal/process/promises.js:209:33)"
," at processTicksAndRejections (internal/process/task_queues.js:98:32)"]}
serverless.yml:
service: serverless-resize-image-s3
custom:
# This line should create the bucket. Strange though that I don't see the bucket when
# I login to the AWS console. Even stranger is that when I tried to create the bucket
# using the console I get an error saying the bucket exists, even though its invisible.
bucket: files
region: us-east-1
default_stage: prod
apigwBinary:
types:
- '*/*'
plugins:
- serverless-apigw-binary
- serverless-apigwy-binary
# Offline is needed to run the thing in a docker container and test using minio
# This is the only part of the code that actually works at the moment.
- serverless-offline
provider:
name: aws
runtime: nodejs12.x
stage: ${opt:stage, self:custom.default_stage}
# I've seen a number of variations on this theme, so far no configuration I've tried
# has resulted in the AccessDenied error disappearing
iamRoleStatements:
- Effect: 'Allow'
Action:
# I don't explicitly list anything but I read somewhere that a 404 can turn into a
# 403 if this right doesn't exist
- 's3:ListBucket'
# Found somebody saying that the arn should not have the '/*' for ListBucket, I guess that
# does make sense
Resource: "arn:aws:s3:::*"
- Effect: 'Allow'
Action:
- 's3:PutObject'
- 's3:GetObject'
# Found somebody saying that a reference to somewhere else in the yml didn't work for him
# And somebody else suggested just replacing the whole thing with a *
Resource: "arn:aws:s3:::*/*"
#Resource: "arn:aws:s3:::files/*"
#Resource: "arn:aws:s3:::${self:custom.bucket}/*"
package:
excludeDevDependencies: true
exclude:
# I thought that excluding aws-sdk would be necessary in order to use the global
# one instead. But even with this line here I still get my AccessDenied errors.
- node_modules/aws-sdk
# If I ignore everything in node_modules I get 'Cannot find module' errors
# But allowing each individual module can take a while. A dir list shows 268
# entries.
# - node_modules/**
# - '!node_modules/serverless-http/**'
# - '!node_modules/express/**'
# - '!node_modules/depd/**'
# - '!node_modules/merge-descriptors/**'
functions:
fileUpload:
handler: upload.app
events:
- http: put /v1/upload
fileDownload:
handler: download.app
events:
# This is the endpoint I'm testing the s3 query with, its simpler than v2.
- http: get /v1/download
- http:
method: get
path: /v2/download
# This is the part I actually want to test, found a post somewhere that said the
# serverless-apigwy-binary plugin will use this to turn my base64 data into binary.
# Hopefully that will allow me to see my image in the browser
contentHandling: CONVERT_TO_BINARY
imageResize:
handler: image.app
events:
- http: get /v1/image
download.js的来源:
'use strict';
const serverless = require('serverless-http');
const express = require('express');
const AWS = require('aws-sdk');
const fs = require('fs');
const app = express();
const s3 = new AWS.S3();
app.get('/v1/download', async (req, res, cb) => {
var fileKey = req.query['id'];
const data = await s3.getObject({ Bucket: 'files', Key: fileKey }).promise();
res.setHeader('Content-Type', 'image/png')
res.end(data.toString('base64'));
});
module.exports.app = serverless(app);
如有任何帮助,我们将不胜感激。似乎我不能 post 这个问题,直到有更多的文本而不仅仅是代码。
上传到bucket,我是这样用的:
iamRoleStatements:
- Effect: Allow
Action:
- s3:PutObject
Resource: "arn:aws:s3:::my-bucket/*"
我看到您使用了两个 - Effect: Allow
,可能是问题所在。尝试只使用一个。或者你可以尝试使用谁先上传的效果,仅供测试:
iamRoleStatements:
- Effect: 'Allow'
Action:
- 's3:PutObject'
- 's3:GetObject'
Resource: "arn:aws:s3:::*/*"
- Effect: 'Allow'
Action:
- 's3:ListBucket'
Resource: "arn:aws:s3:::*"
我假设您的用户权限已启用。如果没有,那是肯定的。在 AWS IAM 上启用权限。
我遇到了类似的问题,结果是我缺少 s3:PutObjectTagging
我的 Lambda 角色的特权。我的 Node.js 应用在上传时添加了标签,下面是我传递给 S3.put()
、
的参数
const uploadParams = {
Bucket: chunk.bucketName,
Key: chunk.filePath,
Tagging: 'created_by=MY-TAG',
Body: passThrough
}
有趣的是,当我 运行 从本地上传的代码正常时,只有当 Node.js 运行 在云环境中时它才会抱怨。有关完整详细信息,请查看我的回复 here.
我正在尝试使用无服务器框架将图像上传到 S3 存储桶。当我在部署后调用端点时,代码因访问被拒绝错误而失败。我做错了什么?
使用'serverless logs -f fileDownload'的错误:
ERROR Unhandled Promise Rejection {"errorType":"Runtime.UnhandledPromiseRejection","errorMessage":"AccessDenied: Access Denied","reason":{"errorType":"AccessDenied","errorMessage":"Access Denied","code":"AccessDenied","message":"Access Denied","region":null,"time":"2020-05-08T14:06:11.767Z","requestId":"874D7C86A4C6BE45","extendedRequestId":"r8xyvcrK9su5c+slhX5L/uh4/Y/sdFnUgPcebHpSTNpbnf39EnAZJET750P8t0iXy8UR81SiYZc=","statusCode":403,"retryable":false,"retryDelay":17.606445772028543,"stack":
["AccessDenied: Access Denied"
," at Request.extractError (/var/task/node_modules/aws-sdk/lib/services/s3.js:835:35)"
," at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:106:20)"
," at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:78:10)"
," at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)"
," at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)"
," at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)"
," at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10"
," at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)"
," at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:685:12)"
," at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
]}
,"promise":{},"stack":
["Runtime.UnhandledPromiseRejection: AccessDenied: Access Denied"
," at process.<anonymous> (/var/runtime/index.js:35:15)"
," at process.emit (events.js:310:20)"
," at process.EventEmitter.emit (domain.js:482:12)"
," at processPromiseRejections (internal/process/promises.js:209:33)"
," at processTicksAndRejections (internal/process/task_queues.js:98:32)"]}
serverless.yml:
service: serverless-resize-image-s3
custom:
# This line should create the bucket. Strange though that I don't see the bucket when
# I login to the AWS console. Even stranger is that when I tried to create the bucket
# using the console I get an error saying the bucket exists, even though its invisible.
bucket: files
region: us-east-1
default_stage: prod
apigwBinary:
types:
- '*/*'
plugins:
- serverless-apigw-binary
- serverless-apigwy-binary
# Offline is needed to run the thing in a docker container and test using minio
# This is the only part of the code that actually works at the moment.
- serverless-offline
provider:
name: aws
runtime: nodejs12.x
stage: ${opt:stage, self:custom.default_stage}
# I've seen a number of variations on this theme, so far no configuration I've tried
# has resulted in the AccessDenied error disappearing
iamRoleStatements:
- Effect: 'Allow'
Action:
# I don't explicitly list anything but I read somewhere that a 404 can turn into a
# 403 if this right doesn't exist
- 's3:ListBucket'
# Found somebody saying that the arn should not have the '/*' for ListBucket, I guess that
# does make sense
Resource: "arn:aws:s3:::*"
- Effect: 'Allow'
Action:
- 's3:PutObject'
- 's3:GetObject'
# Found somebody saying that a reference to somewhere else in the yml didn't work for him
# And somebody else suggested just replacing the whole thing with a *
Resource: "arn:aws:s3:::*/*"
#Resource: "arn:aws:s3:::files/*"
#Resource: "arn:aws:s3:::${self:custom.bucket}/*"
package:
excludeDevDependencies: true
exclude:
# I thought that excluding aws-sdk would be necessary in order to use the global
# one instead. But even with this line here I still get my AccessDenied errors.
- node_modules/aws-sdk
# If I ignore everything in node_modules I get 'Cannot find module' errors
# But allowing each individual module can take a while. A dir list shows 268
# entries.
# - node_modules/**
# - '!node_modules/serverless-http/**'
# - '!node_modules/express/**'
# - '!node_modules/depd/**'
# - '!node_modules/merge-descriptors/**'
functions:
fileUpload:
handler: upload.app
events:
- http: put /v1/upload
fileDownload:
handler: download.app
events:
# This is the endpoint I'm testing the s3 query with, its simpler than v2.
- http: get /v1/download
- http:
method: get
path: /v2/download
# This is the part I actually want to test, found a post somewhere that said the
# serverless-apigwy-binary plugin will use this to turn my base64 data into binary.
# Hopefully that will allow me to see my image in the browser
contentHandling: CONVERT_TO_BINARY
imageResize:
handler: image.app
events:
- http: get /v1/image
download.js的来源:
'use strict';
const serverless = require('serverless-http');
const express = require('express');
const AWS = require('aws-sdk');
const fs = require('fs');
const app = express();
const s3 = new AWS.S3();
app.get('/v1/download', async (req, res, cb) => {
var fileKey = req.query['id'];
const data = await s3.getObject({ Bucket: 'files', Key: fileKey }).promise();
res.setHeader('Content-Type', 'image/png')
res.end(data.toString('base64'));
});
module.exports.app = serverless(app);
如有任何帮助,我们将不胜感激。似乎我不能 post 这个问题,直到有更多的文本而不仅仅是代码。
上传到bucket,我是这样用的:
iamRoleStatements:
- Effect: Allow
Action:
- s3:PutObject
Resource: "arn:aws:s3:::my-bucket/*"
我看到您使用了两个 - Effect: Allow
,可能是问题所在。尝试只使用一个。或者你可以尝试使用谁先上传的效果,仅供测试:
iamRoleStatements:
- Effect: 'Allow'
Action:
- 's3:PutObject'
- 's3:GetObject'
Resource: "arn:aws:s3:::*/*"
- Effect: 'Allow'
Action:
- 's3:ListBucket'
Resource: "arn:aws:s3:::*"
我假设您的用户权限已启用。如果没有,那是肯定的。在 AWS IAM 上启用权限。
我遇到了类似的问题,结果是我缺少 s3:PutObjectTagging
我的 Lambda 角色的特权。我的 Node.js 应用在上传时添加了标签,下面是我传递给 S3.put()
、
const uploadParams = {
Bucket: chunk.bucketName,
Key: chunk.filePath,
Tagging: 'created_by=MY-TAG',
Body: passThrough
}
有趣的是,当我 运行 从本地上传的代码正常时,只有当 Node.js 运行 在云环境中时它才会抱怨。有关完整详细信息,请查看我的回复 here.