在AWS中获取存储桶访问错误

时间:2017-10-27 14:57:43

标签: aws-lambda

我想在S3上传项目时执行lambda函数。我的函数被调用但似乎存在访问错误。这是什么错误?

我已经定义了一个角色lambdas3。它的可信实体是lambda。它有以下政策名为s3lambda

Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1509114309000",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucketname"
            ]
        },
        {
            "Sid": "Stmt1509114340000",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}

这是lambda函数

var aws = require('aws-sdk');
var s3 = new aws.S3();

exports.handler = function(event,context){
    var bucket = event.Records[0].s3.bucket.name;
    var key = decodeURIComponent(
        event.Records[0].s3.object.key.replace(/\+/g,''));
    var params = {
      Bucket:bucket,
      Key:key
    };
    s3.getObject(params,function(err,data){
        if(err){
            console.log(err);
            context.fail('Error getting object'+
            key+' from bucket'+bucket);
        }else{
            context.succeed('hello '+data.Body);
        }

    });
};

该函数在执行期间需要lambdas3个角色。

2 个答案:

答案 0 :(得分:2)

您需要在GetObject策略中的资源S3 ARN上添加/ *。 S3:GetObject适用于S3的对象ARN。例如:

arn:aws:s3:::mybucketname/*

答案 1 :(得分:1)

如果要授予存储桶中所有对象的权限,则必须提供完全权限(' *'在资源中)。请在下面找到更新政策



Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1509114309000",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucketname/*"
            ]
        },
        {
            "Sid": "Stmt1509114340000",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}