我在JS中有一个无服务器应用程序,它在node.js 8.10上的AWS lambda中运行。它由S3事件触发,并在不同存储桶中使用版本控制创建新上载的S3项目的副本。给lambda函数一个角色,该角色包含以下策略:
y = [
{
2: 3
},
{
1: 2
},
{
3: 1
}
]
该函数在将项目复制到targetBucket(并等待其存在)之后调用此s3函数:
{
"PolicyName" : {"Fn::Join": ["", [{"Ref": "AWS::Region"}, "-", "S3LambdaPolicy"]]},
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
"s3:GetObjectTagging",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::*"
}
]
}
}
这总是失败,并显示拒绝访问错误:
2018-11-06T12:06:24.070Z 389637c4-e1bc-11e8-8eec-8b4d06f7596c {AccessDenied:访问被拒绝在Request.extractError(/var/runtime/node_modules/aws-sdk/lib/services/s3.js :577:35) ... 消息:“访问被拒绝”, 代码:“ AccessDenied”, 地区:null, 时间:2018-11-06T12:06:24.069Z, requestId:'178F863CC6FB4960', extendedRequestId:'sYbGkGb + hgOWtWp1XPkqtoVRv2XxAg04axRAUaeF0VtMMzMYYyPMkTrwWpx3xUBF0zalKzIJAI8 =', cfId:未定义, statusCode:403, 可重试:错误, retryDelay:39.20736560394356}
我不确定我在这里缺少什么,希望能解决此问题。
Thx,
Stefan
答案 0 :(得分:0)
我自己找到了解决方案:在使用版本控制时,我还需要添加用于在版本化对象上获取/放置标签的特定策略。所以这是对我有用的规则:
{
"PolicyName" : {"Fn::Join": ["", [{"Ref": "AWS::Region"}, "-", "S3LambdaPolicy"]]},
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
"s3:GetObjectTagging",
"s3:GetObjectVersionTagging",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::*"
}
]
}
}