AWS Lambda s3.putObject 在设置 ACL 字段时抛出拒绝访问
AWS Lambda s3.putObject throws Access Denied when setting ACL field
更新:找到答案,谢谢。
我正在设置一个定期获取一些数据、进行一些处理并将文件保存到 s3 的 lambda。
这是函数:
exports.handler = async function(event, context) {
const data = await fetchXlsx();
const uploaded = s3.putObject({
Bucket: 'my-bucket',
Key: 'current.json',
ACL: 'public-read', // Works fine without this line
ContentType: 'application/json',
Body: JSON.stringify(data)
}).promise()
return uploaded
}
这是附加到执行角色的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
如果我注释掉 ACL 属性,上面的代码工作正常,但是文件不是 public,我需要它是这样。
运行 代码原样,它抛出拒绝访问:
{
"errorType": "AccessDenied",
"errorMessage": "Access Denied",
"trace": [
"AccessDenied: Access Denied",
" at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:831:35)",
" at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)",
" at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)",
" at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)",
" at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
" at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
" at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
" at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
" at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)",
" at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
]
}
我尝试过以多种不同的方式设置策略,包括尝试使其尽可能被允许:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*"
}
]
}
但这没有用。
在 bucket 方面,除了将 Block all public access 设置为 off 之外,我没有发现任何设置混乱,但这也没有帮助。
TLDR;我可以将文件从 Lambda 上传到 S3,但我怎样才能做到这一点 public?
找到答案:
On the bucket side, I haven't found any settings to mess with other than setting Block all public access to off but that didn't help either.
我需要在 帐户 和 存储桶设置中取消阻止 public 访问。
这是目前为两者设置的方式:
Block all public access
Off
Block public access to buckets and objects granted through new access control lists (ACLs)
Off
Block public access to buckets and objects granted through any access control lists (ACLs)
Off
Block public access to buckets and objects granted through new public bucket or access point policies
On
Block public and cross-account access to buckets and objects through any public bucket or access point policies
On
这适用于原始策略(问题中的第二个代码块)。
更新:找到答案,谢谢。
我正在设置一个定期获取一些数据、进行一些处理并将文件保存到 s3 的 lambda。
这是函数:
exports.handler = async function(event, context) {
const data = await fetchXlsx();
const uploaded = s3.putObject({
Bucket: 'my-bucket',
Key: 'current.json',
ACL: 'public-read', // Works fine without this line
ContentType: 'application/json',
Body: JSON.stringify(data)
}).promise()
return uploaded
}
这是附加到执行角色的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
如果我注释掉 ACL 属性,上面的代码工作正常,但是文件不是 public,我需要它是这样。
运行 代码原样,它抛出拒绝访问:
{
"errorType": "AccessDenied",
"errorMessage": "Access Denied",
"trace": [
"AccessDenied: Access Denied",
" at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:831:35)",
" at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)",
" at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)",
" at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)",
" at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
" at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
" at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
" at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
" at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)",
" at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
]
}
我尝试过以多种不同的方式设置策略,包括尝试使其尽可能被允许:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*"
}
]
}
但这没有用。
在 bucket 方面,除了将 Block all public access 设置为 off 之外,我没有发现任何设置混乱,但这也没有帮助。
TLDR;我可以将文件从 Lambda 上传到 S3,但我怎样才能做到这一点 public?
找到答案:
On the bucket side, I haven't found any settings to mess with other than setting Block all public access to off but that didn't help either.
我需要在 帐户 和 存储桶设置中取消阻止 public 访问。
这是目前为两者设置的方式:
Block all public access
Off
Block public access to buckets and objects granted through new access control lists (ACLs)
Off
Block public access to buckets and objects granted through any access control lists (ACLs)
Off
Block public access to buckets and objects granted through new public bucket or access point policies
On
Block public and cross-account access to buckets and objects through any public bucket or access point policies
On
这适用于原始策略(问题中的第二个代码块)。