通过Lambda上传时的S3 Policy Issue

时间:2017-09-06 18:56:34

标签: amazon-web-services amazon-s3 aws-lambda boto boto3

我使用AWS Lambda将文件上传到S3并使用命令

s3 = boto3.resource('s3')
s3.meta.client.upload_file("/tmp/" + fileName, [BUCKET NAME], fileName)

Lambda政策也被定义为

{
        "Action": [
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::[BUCKET NAME]",
        "Effect": "Allow"
},

但是当我运行该功能时,它会给出错误

(<class 'boto3.exceptions.S3UploadFailedError'>, 
S3UploadFailedError('Failed to upload /tmp/[FILE NAME] to [BUCKET 
NAME]/[FILE NAME]: An error occurred (AccessDenied) when calling the 
PutObject operation: Access Denied',), <traceback object at 
0x7f61e9d2ec48>)

3 个答案:

答案 0 :(得分:2)

似乎你错过了

  

“/ *”

在政策的资源中。对于对象级操作,资源应为

  

“ARN:AWS:S3 ::: examplebucket /*".

另外请确保没有拒绝访问的存储桶策略。

更多信息:

答案 1 :(得分:1)

您还需要允许ListBucket策略,以便以编程方式将对象放入s3。

所以,你的政策是:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::BUCKET_NAME"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": ["arn:aws:s3:::BUCKET_NAME/*"]
    }
  ]
} 

答案 2 :(得分:0)

你对lambda.amazonaws.com的角色有信任关系吗?

同样根据您的政策,应如下所示,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Action":   ["s3:PutObject"],
            "Resource": "arn:aws:s3:::[BUCKET NAME]/*"
        }
    ]
}

我看到存储桶名称末尾缺少/ *。

参考文档:http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html