我使用AWS Lambda将文件上传到S3并使用命令
s3 = boto3.resource('s3')
s3.meta.client.upload_file("/tmp/" + fileName, [BUCKET NAME], fileName)
Lambda政策也被定义为
{
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::[BUCKET NAME]",
"Effect": "Allow"
},
但是当我运行该功能时,它会给出错误
(<class 'boto3.exceptions.S3UploadFailedError'>,
S3UploadFailedError('Failed to upload /tmp/[FILE NAME] to [BUCKET
NAME]/[FILE NAME]: An error occurred (AccessDenied) when calling the
PutObject operation: Access Denied',), <traceback object at
0x7f61e9d2ec48>)
答案 0 :(得分:2)
似乎你错过了
“/ *”
在政策的资源中。对于对象级操作,资源应为
“ARN:AWS:S3 ::: examplebucket /*".
另外请确保没有拒绝访问的存储桶策略。
更多信息:
答案 1 :(得分:1)
您还需要允许ListBucket
策略,以便以编程方式将对象放入s3。
所以,你的政策是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::BUCKET_NAME"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": ["arn:aws:s3:::BUCKET_NAME/*"]
}
]
}
答案 2 :(得分:0)
你对lambda.amazonaws.com的角色有信任关系吗?
同样根据您的政策,应如下所示,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::[BUCKET NAME]/*"
}
]
}
我看到存储桶名称末尾缺少/ *。
参考文档:http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html