我在使用AWS策略生成器创建的S3存储桶上有以下策略,以允许使用特定角色运行的lambda访问存储桶中的文件。但是,当我执行Lambda时,我得到403权限被拒绝:
"errorMessage": "Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: <requestId>)",
"errorType": "com.amazonaws.services.s3.model.AmazonS3Exception",
S3存储桶的策略:
{
"Version": "2012-10-17",
"Id": "Policy<number>",
"Statement": [
{
"Sid": "Stmt<number>",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account>:role/<roleName>"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucketName>/*"
}
]
}
该政策有什么问题? Lamba正在使用策略中配置的角色运行。
答案 0 :(得分:12)
分配给AWS Lambda函数的角色应创建AWS Lambda角色(在IAM控制台中创建角色时选择)。
角色没有校长,因为权限已分配给使用该角色的任何服务(在本例中为Lambda函数)。
此外,您应该为存储桶本身(例如列出内容)和存储桶的内容(例如GetObject)分配权限。
这将是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123XXX:role/service-role/LAMBDA_ROLE_NAME"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
答案 1 :(得分:4)
在循环播放I之后,我可以使其工作,过程是:
IAM政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt*******",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::<bucket-name>"
]
}
]
}
我在s3 Bucket上使用此政策
{
"Id": "Policy************",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt********",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Principal": {
"AWS": [
"arn:aws:iam::*********:role/<lambda-function-name>"
]
}
}
]
}