无服务器框架:S3 上签名 URL 的 AWS Lambda 角色

Serverless Framework: AWS Lambda Role for Signed URLs on S3

我正在使用无服务器框架,当我尝试访问私有存储桶上的签名 URL 以获取以下配置的 GET 和 PUT 时,出现访问被拒绝的错误。但是,当我为 iam.role.statements[0].Resource 下的资源授予 *(而不是显式引用私有存储桶)时,它工作得很好。我做错了什么?什么是最好的方法来完成这项工作而不必授予“*”权限而只授予私有存储桶权限?

provider:
  name: aws
  runtime: nodejs12.x
  lambdaHashingVersion: '20201221'
  iam:
    role:
      statements:
        - Effect: 'Allow'
          Action:
            - 's3:GetObject'
            - 's3:PutObject'
          Resource:
            - Fn::GetAtt:
                - PrivateBucket
                - Arn

resources:
  Resources:
    PrivateBucket:
      Type: AWS::S3::Bucket
      DeletionPolicy: Retain
      Properties:
        BucketName: private-bucket
        OwnershipControls:
          Rules:
            - ObjectOwnership: BucketOwnerEnforced
        PublicAccessBlockConfiguration:
          BlockPublicAcls: true
          BlockPublicPolicy: true
          IgnorePublicAcls: true
          RestrictPublicBuckets: true
        CorsConfiguration:
          CorsRules:
            - AllowedHeaders:
                - '*'
              AllowedMethods:
                - GET
                - PUT
              AllowedOrigins:
                - '*'

您需要允许存储桶和资源。

尝试通过以下方式添加资源权限:

Resource:
  - !Sub arn:aws:s3:::${MyS3Bucket}
  - !Sub arn:aws:s3:::${MyS3Bucket}/*