AWS - S3 路径上的权限被拒绝
AWS - Permission denied on S3 Path
我正在调用一个从 AWS Athena 查询的 lambda 函数,在执行查询期间我收到此错误:
Permission denied on S3 path: s3://bkt_logs/apis/2020/12/16/14
Note: S3 bucket is an encrypted bucket and have attached policy to access KMS key.
这些是我授予 lambda 函数的权限。
[
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::athena-query-results/*",
"Effect": "Allow",
"Sid": "AllowS3AccessToSaveAndReadQueryResults"
},
{
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::bkt_logs/*",
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
},
{
"Action": [
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetWorkGroup",
"athena:GetDatabase",
"athena:BatchGetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetTableMetadata"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowAthenaAccess"
},
{
"Action": [
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartitions"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowGlueAccess"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowKMSAccess"
}
]
我用于从 lambda 查询的代码片段。
const queryRequest = {
QueryExecutionContext: {
Database: this.databaseName
},
QueryString: query,
ResultConfiguration: {
OutputLocation: 's3://athena-query-results'
},
WorkGroup: this.workgroup
};
const queryExecutionId = await this.athenaService.startQueryExecution(queryRequest);
存储桶 bkt_logs 是 AWS Glue 爬虫用来填充我正在查询的 Athena table 的存储桶。
我是不是漏掉了什么?
我能够解决问题。
Athena 需要访问存储桶以及文件夹和子文件夹。
因此,在更新我的 S3 策略以允许访问存储桶后,我能够解决问题。
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bkt_logs",
"arn:aws:s3:::bkt_logs/*"
],
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
}
我正在调用一个从 AWS Athena 查询的 lambda 函数,在执行查询期间我收到此错误:
Permission denied on S3 path: s3://bkt_logs/apis/2020/12/16/14
Note: S3 bucket is an encrypted bucket and have attached policy to access KMS key.
这些是我授予 lambda 函数的权限。
[
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::athena-query-results/*",
"Effect": "Allow",
"Sid": "AllowS3AccessToSaveAndReadQueryResults"
},
{
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::bkt_logs/*",
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
},
{
"Action": [
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetWorkGroup",
"athena:GetDatabase",
"athena:BatchGetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetTableMetadata"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowAthenaAccess"
},
{
"Action": [
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartitions"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowGlueAccess"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowKMSAccess"
}
]
我用于从 lambda 查询的代码片段。
const queryRequest = {
QueryExecutionContext: {
Database: this.databaseName
},
QueryString: query,
ResultConfiguration: {
OutputLocation: 's3://athena-query-results'
},
WorkGroup: this.workgroup
};
const queryExecutionId = await this.athenaService.startQueryExecution(queryRequest);
存储桶 bkt_logs 是 AWS Glue 爬虫用来填充我正在查询的 Athena table 的存储桶。
我是不是漏掉了什么?
我能够解决问题。
Athena 需要访问存储桶以及文件夹和子文件夹。 因此,在更新我的 S3 策略以允许访问存储桶后,我能够解决问题。
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bkt_logs",
"arn:aws:s3:::bkt_logs/*"
],
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
}