aws lambda环境中的aws_access_key_id

时间:2017-12-04 15:20:56

标签: amazon-web-services amazon-s3 aws-lambda boto3 amazon-iam

我正在使用boto3为s3创建预先签名的帖子。

s3 = boto3.client('s3')
post = s3.generate_presigned_post(
        Bucket=bucket_name,
        Key=f"{userid}.{suffix}"
    )

正在使用的aws_access_key_id不正确,使用正确方法的方法之一是通过环境变量添加环境变量。

任何想法如何使用我在IAM中创建的用户定义的aws访问密钥来强制执行?

更新1

附加到执行lambda的IAM角色的策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DetachNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ResetNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:*"
            ],
            "Resource": "arn:aws:kinesis:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:*"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": "arn:aws:sqs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:*"
            ],
            "Resource": "*"
        }
    ]
}

更新2

IAM中的角色 Role in IAM Lambda配置中的角色配置 Role configuration in Lambda configuration

1 个答案:

答案 0 :(得分:5)

您不应该将IAM用户用于lambda中的任何类型的执行权限。而是使用附加了适当策略的IAM角色并attach that role to your Lambda function

另请注意,一旦配置了角色,访问ID和密码将由lambda自动设置为环境变量,Boto将在不进行任何其他配置的情况下检索它们。

相关问题
最新问题