botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied

我正在尝试使用 Zappa 在 AWS lambda 上部署我的 Django 项目。这是我的 zappa_settings.json:

    {
    "dev": {
        "aws_region": "us-west-2",
        "django_settings": "<project_name>.settings",
        "profile_name": "zappa",
        "project_name": "<project_name>",
        "runtime": "python3.6",
        "s3_bucket": "<s3_bucket_name>",
        "timeout_seconds": 900,  // defaults is 30 seconds
        "manage_roles": false,
        "role_name": "ZappaDjangoRole",
        "role_arn": "arn:aws:iam::<account_id>:role/ZappaDjangoRole",
        "slim_handler": true
    }
}

我收到错误

"botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied"

知道是什么原因造成的以及如何解决这个问题吗?我的理解是Zappa压缩了整个项目,想上传到AWS S3 bucket,但是在调用CreateBucket操作的时候缺少一个权限。我不明白这个权限应该去哪里。

在 IAM 中,我创建了 ZappaGroup,它具有使用 ZappaUserGeneralPolicyZappaUserS3Policy 的权限:

我的ZappaUserGeneralPolicy:

{
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
        "lambda:CreateFunction",
        "s3:ListAccessPointsForObjectLambda",
        "s3:GetAccessPoint",
        "lambda:ListVersionsByFunction",
        "logs:DescribeLogStreams",
        "route53:GetHostedZone",
        "events:PutRule",
        "s3:PutStorageLensConfiguration",
        "cloudformation:DescribeStackResource",
        "lambda:GetFunctionConfiguration",
        "iam:PutRolePolicy",
        "apigateway:DELETE",
        "events:ListRuleNamesByTarget",
        "apigateway:PATCH",
        "cloudformation:UpdateStack",
        "events:ListRules",
        "lambda:DeleteFunction",
        "events:RemoveTargets",
        "logs:FilterLogEvents",
        "apigateway:GET",
        "events:ListTargetsByRule",
        "cloudformation:ListStackResources",
        "iam:GetRole",
        "events:DescribeRule",
        "s3:PutAccountPublicAccessBlock",
        "s3:ListAccessPoints",
        "apigateway:PUT",
        "lambda:GetFunction",
        "s3:ListJobs",
        "route53:ListHostedZones",
        "route53:ChangeResourceRecordSets",
        "cloudformation:DescribeStacks",
        "s3:ListStorageLensConfigurations",
        "lambda:UpdateFunctionCode",
        "events:DeleteRule",
        "events:PutTargets",
        "s3:GetAccountPublicAccessBlock",
        "lambda:AddPermission",
        "s3:ListAllMyBuckets",
        "cloudformation:CreateStack",
        "cloudformation:DeleteStack",
        "lambda:*",
        "s3:CreateJob",
        "apigateway:POST"
    ],
    "Resource": "*"
    },
    {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": [
        "iam:PassRole",
        "s3:*"
    ],
    "Resource": [
        "arn:aws:s3:::<s3_bucket from zappa_settings.json>",
        "arn:aws:iam::<account_id>:role/ZappaDjangoRole"
    ]z
    }
]
}

另外,我的ZappaUserS3Policy

    {
"Version": "2012-10-17",
"Statement": [
    {
    "Effect": "Allow",
    "Action": [
        "s3:ListBucket"
    ],
    "Resource": [
        "arn:aws:s3:::<s3_bucket from zappa_settings.json>"
    ]
    },
    {
    "Effect": "Allow",
    "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:PutObject",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts",
        "s3:ListBucketMultipartUploads"
    ],
    "Resource": [
        "arn:aws:s3:::<s3_bucket from zappa_settings.json>/*"
    ]
    }
]
}

还有,我的 ZappaDjangoRole 的信任关系:

   {
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "",
    "Effect": "Allow",
    "Principal": {
        "Service": [
        "events.amazonaws.com",
        "apigateway.amazonaws.com",
        "lambda.amazonaws.com"
        ]
    },
    "Action": "sts:AssumeRole"
    }
]
}

最后,这是我的 ZappaRolePolicy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunctionConfiguration",
                "lambda:UpdateFunctionConfiguration",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DetachNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ResetNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:*"
            ],
            "Resource": "arn:aws:kinesis:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:*"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": "arn:aws:sqs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:*"
            ],
            "Resource": "*"
        }
    ]
}

我通过向我的用户所属的组添加以下权限来解决这个问题:

IAMFullAccess
AmazonS3FullAccess
AdministratorAccess

我的用户也有 AdministratorAccess 权限。环顾四周,我注意到所有开发运营人员都在抱怨类似的问题,并建议为用户提供完全的管理员访问权限。

我也收到了类似的错误消息,在我的例子中是我自己给了 s3 存储桶名称,而不是使用建议的默认名称。