向自动创建的 IAM 角色添加策略

Add policy to the auto created IAM role

我有一个 cdk 脚本,可以生成一个 S3 bucketlambda,然后将 s3 触发器添加到 lambda

const up_bk = new s3.Bucket(this, 'cdk-st-in-bk', { // image-resize用のbucket
  bucketName: `cdk-st-${targetEnv}-resource-in-bk`,
  removalPolicy: RemovalPolicy.DESTROY,
  autoDeleteObjects: true,
  cors: [{
      allowedMethods: [
        s3.HttpMethods.GET,
        s3.HttpMethods.POST,
        s3.HttpMethods.PUT,
        s3.HttpMethods.DELETE,
        s3.HttpMethods.HEAD,
      ],
      allowedHeaders: ["*"],
      allowedOrigins: ["*"],
      exposedHeaders: ["ETag"],
      maxAge: 3000
    }]
});

const resizerLambda = new lambda.DockerImageFunction(this, "ResizerLambda", {
  code: lambda.DockerImageCode.fromImageAsset("resizer-sam/resizer"),
});

resizerLambda.addEventSource(new S3EventSource(up_bk, { 
  events: [ s3.EventType.OBJECT_CREATED ],
}));

现在,它会自动生成角色st-dev-base-stack-ResizerLambdaServiceRoleAE27CE82-1LWJL0D35A0GW

但它只有AWSLambdaBasicExecutionRole

所以,当我尝试从存储桶访问 S3 时,会出现类似 `

的错误

例如,

obj = s3_client.get_object(Bucket=bucket_name, Key=obj_key)

"An error occurred (AccessDenied) when calling the GetObject operation: Access Denied"

我想我应该给这个角色添加 AmazonS3FullAccess

但是我该怎么做呢??

您需要授予 Lambda 函数从存储桶中读取的权限:

up_bk.grantRead(resizerLambda);

如果您还需要它写入存储桶,请执行:

up_bk.grantReadWrite(resizerLambda);