使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

从Lambda访问S3存储桶

0

【以下的问题经过翻译处理】 我试图从Lambda函数中写入S3存储桶,并且已经配置好所需的权限和角色,但是我遇到了以下错误:

“errorMessage”:“An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"

以下是我的策略文件,并且我已经在Lambda函数执行角色中分配了相关角色。您能否指出我在这里遗漏了什么。谢谢。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutAnalyticsConfiguration", "s3:PutAccessPointConfigurationForObjectLambda", "s3:GetObjectVersionTagging", "s3:DeleteAccessPoint", "s3:CreateBucket", "s3:DeleteAccessPointForObjectLambda", "s3:GetStorageLensConfigurationTagging", "s3:ReplicateObject", "s3:GetObjectAcl", "s3:GetBucketObjectLockConfiguration", "s3:DeleteBucketWebsite", "s3:GetIntelligentTieringConfiguration", "s3:PutLifecycleConfiguration", "s3:GetObjectVersionAcl", "s3:DeleteObject", "s3:CreateMultiRegionAccessPoint", "s3:GetBucketPolicyStatus", "s3:GetObjectRetention", "s3:GetBucketWebsite", "s3:GetJobTagging", "s3:GetMultiRegionAccessPoint", "s3:PutReplicationConfiguration", "s3:GetObjectAttributes", "s3:PutObjectLegalHold", "s3:InitiateReplication", "s3:GetObjectLegalHold", "s3:GetBucketNotification", "s3:PutBucketCORS", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetReplicationConfiguration", "s3:PutObject", "s3:GetObject", "s3:PutBucketNotification", "s3:DescribeJob", "s3:PutBucketLogging", "s3:GetAnalyticsConfiguration", "s3:PutBucketObjectLockConfiguration", "s3:GetObjectVersionForReplication", "s3:GetAccessPointForObjectLambda", "s3:GetStorageLensDashboard", "s3:CreateAccessPoint", "s3:GetLifecycleConfiguration", "s3:GetInventoryConfiguration", "s3:GetBucketTagging", "s3:PutAccelerateConfiguration", "s3:GetAccessPointPolicyForObjectLambda", "s3:DeleteObjectVersion", "s3:GetBucketLogging", "s3:RestoreObject", "s3:GetAccelerateConfiguration", "s3:GetObjectVersionAttributes", "s3:GetBucketPolicy", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "s3:GetObjectVersionTorrent", "s3:AbortMultipartUpload", "s3:GetBucketRequestPayment", "s3:GetAccessPointPolicyStatus", "s3:UpdateJobPriority", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "s3:GetBucketOwnershipControls", "s3:DeleteBucket", "s3:PutBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:PutIntelligentTieringConfiguration", "s3:GetMultiRegionAccessPointPolicy", "s3:GetAccessPointPolicyStatusForObjectLambda", "s3:PutMetricsConfiguration", "s3:PutBucketOwnershipControls", "s3:DeleteMultiRegionAccessPoint", "s3:UpdateJobStatus", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:GetAccessPointConfigurationForObjectLambda", "s3:PutInventoryConfiguration", "s3:GetObjectTorrent", "s3:GetStorageLensConfiguration", "s3:DeleteStorageLensConfiguration", "s3:PutBucketWebsite", "s3:PutBucketRequestPayment", "s3:PutObjectRetention", "s3:CreateAccessPointForObjectLambda", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetAccessPointPolicy", "s3:ReplicateDelete", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::<my-bukcet-name>" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:GetAccessPoint", "s3:GetAccountPublicAccessBlock", "s3:PutStorageLensConfiguration", "s3:CreateJob" ], "Resource": "*" } ] }

主题
无服务器计算安全、身份和合规性
标签
AWS LambdaIAM 策略
语言
中文 (简体)
profile picture
专家
rePost Polyglot
已提问 5 个月前37 查看次数
1 回答
0

【以下的回答经过翻译处理】 首先,这里有很多你的Lambda函数并不需要的权限。我建议你删除这里设置的90%的权限。

除此之外,假设你的策略实际上在资源中没有读取<my-bucket-name>,那么有两件事需要注意:对于桶级别操作,用arn:aws:s3:::<bucket-name>是可以的,但对于对象,你需要指定路径。例如,对于桶中的所有对象,你需要使用arn:aws:s3:::<bucket-name>/*

同时请注意,如果你使用了CMK(你自己手动创建的一种KMS密钥,不是aws/s3 的这种)对存储桶中的文件进行了加密,那么你还需要为服务(lambda、脚本等)提供访问该KMS密钥的权限,以便操作文件的加密(加密或解密或两者都有)。

profile picture
专家
rePost Polyglot
已回答 5 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容