向自动创建的 IAM 角色添加策略
Add policy to the auto created IAM role
我有一个 cdk 脚本,可以生成一个 S3 bucket
和 lambda
,然后将 s3 触发器添加到 lambda
const up_bk = new s3.Bucket(this, 'cdk-st-in-bk', { // image-resize用のbucket
bucketName: `cdk-st-${targetEnv}-resource-in-bk`,
removalPolicy: RemovalPolicy.DESTROY,
autoDeleteObjects: true,
cors: [{
allowedMethods: [
s3.HttpMethods.GET,
s3.HttpMethods.POST,
s3.HttpMethods.PUT,
s3.HttpMethods.DELETE,
s3.HttpMethods.HEAD,
],
allowedHeaders: ["*"],
allowedOrigins: ["*"],
exposedHeaders: ["ETag"],
maxAge: 3000
}]
});
const resizerLambda = new lambda.DockerImageFunction(this, "ResizerLambda", {
code: lambda.DockerImageCode.fromImageAsset("resizer-sam/resizer"),
});
resizerLambda.addEventSource(new S3EventSource(up_bk, {
events: [ s3.EventType.OBJECT_CREATED ],
}));
现在,它会自动生成角色st-dev-base-stack-ResizerLambdaServiceRoleAE27CE82-1LWJL0D35A0GW
但它只有AWSLambdaBasicExecutionRole
所以,当我尝试从存储桶访问 S3 时,会出现类似 `
的错误
例如,
obj = s3_client.get_object(Bucket=bucket_name, Key=obj_key)
"An error occurred (AccessDenied) when calling the GetObject operation: Access Denied"
我想我应该给这个角色添加 AmazonS3FullAccess
。
但是我该怎么做呢??
您需要授予 Lambda 函数从存储桶中读取的权限:
up_bk.grantRead(resizerLambda);
如果您还需要它写入存储桶,请执行:
up_bk.grantReadWrite(resizerLambda);
我有一个 cdk 脚本,可以生成一个 S3 bucket
和 lambda
,然后将 s3 触发器添加到 lambda
const up_bk = new s3.Bucket(this, 'cdk-st-in-bk', { // image-resize用のbucket
bucketName: `cdk-st-${targetEnv}-resource-in-bk`,
removalPolicy: RemovalPolicy.DESTROY,
autoDeleteObjects: true,
cors: [{
allowedMethods: [
s3.HttpMethods.GET,
s3.HttpMethods.POST,
s3.HttpMethods.PUT,
s3.HttpMethods.DELETE,
s3.HttpMethods.HEAD,
],
allowedHeaders: ["*"],
allowedOrigins: ["*"],
exposedHeaders: ["ETag"],
maxAge: 3000
}]
});
const resizerLambda = new lambda.DockerImageFunction(this, "ResizerLambda", {
code: lambda.DockerImageCode.fromImageAsset("resizer-sam/resizer"),
});
resizerLambda.addEventSource(new S3EventSource(up_bk, {
events: [ s3.EventType.OBJECT_CREATED ],
}));
现在,它会自动生成角色st-dev-base-stack-ResizerLambdaServiceRoleAE27CE82-1LWJL0D35A0GW
但它只有AWSLambdaBasicExecutionRole
所以,当我尝试从存储桶访问 S3 时,会出现类似 `
的错误例如,
obj = s3_client.get_object(Bucket=bucket_name, Key=obj_key)
"An error occurred (AccessDenied) when calling the GetObject operation: Access Denied"
我想我应该给这个角色添加 AmazonS3FullAccess
。
但是我该怎么做呢??
您需要授予 Lambda 函数从存储桶中读取的权限:
up_bk.grantRead(resizerLambda);
如果您还需要它写入存储桶,请执行:
up_bk.grantReadWrite(resizerLambda);