无服务器框架:S3 上签名 URL 的 AWS Lambda 角色
Serverless Framework: AWS Lambda Role for Signed URLs on S3
我正在使用无服务器框架,当我尝试访问私有存储桶上的签名 URL 以获取以下配置的 GET 和 PUT 时,出现访问被拒绝的错误。但是,当我为 iam.role.statements[0].Resource 下的资源授予 *(而不是显式引用私有存储桶)时,它工作得很好。我做错了什么?什么是最好的方法来完成这项工作而不必授予“*”权限而只授予私有存储桶权限?
provider:
name: aws
runtime: nodejs12.x
lambdaHashingVersion: '20201221'
iam:
role:
statements:
- Effect: 'Allow'
Action:
- 's3:GetObject'
- 's3:PutObject'
Resource:
- Fn::GetAtt:
- PrivateBucket
- Arn
resources:
Resources:
PrivateBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName: private-bucket
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerEnforced
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- '*'
AllowedMethods:
- GET
- PUT
AllowedOrigins:
- '*'
您需要允许存储桶和资源。
尝试通过以下方式添加资源权限:
Resource:
- !Sub arn:aws:s3:::${MyS3Bucket}
- !Sub arn:aws:s3:::${MyS3Bucket}/*
我正在使用无服务器框架,当我尝试访问私有存储桶上的签名 URL 以获取以下配置的 GET 和 PUT 时,出现访问被拒绝的错误。但是,当我为 iam.role.statements[0].Resource 下的资源授予 *(而不是显式引用私有存储桶)时,它工作得很好。我做错了什么?什么是最好的方法来完成这项工作而不必授予“*”权限而只授予私有存储桶权限?
provider:
name: aws
runtime: nodejs12.x
lambdaHashingVersion: '20201221'
iam:
role:
statements:
- Effect: 'Allow'
Action:
- 's3:GetObject'
- 's3:PutObject'
Resource:
- Fn::GetAtt:
- PrivateBucket
- Arn
resources:
Resources:
PrivateBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName: private-bucket
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerEnforced
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- '*'
AllowedMethods:
- GET
- PUT
AllowedOrigins:
- '*'
您需要允许存储桶和资源。
尝试通过以下方式添加资源权限:
Resource:
- !Sub arn:aws:s3:::${MyS3Bucket}
- !Sub arn:aws:s3:::${MyS3Bucket}/*