我正在使用boto3为s3创建预先签名的帖子。
s3 = boto3.client('s3')
post = s3.generate_presigned_post(
Bucket=bucket_name,
Key=f"{userid}.{suffix}"
)
正在使用的aws_access_key_id
不正确,使用正确方法的方法之一是通过环境变量添加环境变量。
任何想法如何使用我在IAM中创建的用户定义的aws访问密钥来强制执行?
附加到执行lambda的IAM角色的策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ResetNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"kinesis:*"
],
"Resource": "arn:aws:kinesis:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": "arn:aws:sqs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "arn:aws:dynamodb:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"route53:*"
],
"Resource": "*"
}
]
}
答案 0 :(得分:5)
您不应该将IAM用户用于lambda中的任何类型的执行权限。而是使用附加了适当策略的IAM角色并attach that role to your Lambda function。
另请注意,一旦配置了角色,访问ID和密码将由lambda自动设置为环境变量,Boto将在不进行任何其他配置的情况下检索它们。