我可能会遗漏某些东西,并可能在这些政策上使用第二眼。
我的存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::redacted:role/myrole"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<my-bucket>",
"arn:aws:s3:::<my-bucket>/*"
]
}
]
}
我检查了对象的权限,并为其中的唯一对象允许所有人进行读写访问,只是为了使此功能起作用(但仍然没有)。
这是我用来访问存储桶的lambda角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"dynamodb:GetItem",
"s3:ListBucket",
"dynamodb:Query",
"dynamodb:UpdateItem",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<my-bucket>",
"arn:aws:s3:::<my-bucket>/*",
"arn:aws:dynamodb:us-east-1:dynamo:table/myTable"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"polly:SynthesizeSpeech",
"polly:StartSpeechSynthesisTask",
"s3:ListAllMyBuckets",
"polly:GetSpeechSynthesisTask"
],
"Resource": "*"
}
]
}
可能是我在lambda中编写的函数错误吗?这是它打破的部分:
s3 = boto3.resource('s3')
bucket = s3.Bucket('BUCKET_NAME')
key = postId + "_" + title + ".mp3"
objs = list(bucket.objects.filter(Prefix=key))
if len(objs) > 0 and objs[0].key == key:
print("Exists!")
boto3.client('s3').delete_object(Bucket='BUCKET_NAME', Key=key)
else:
print("Doesn't exist")
我尝试添加ListObject作为策略操作,但我认为它仅与List存储桶有关。我从另一个答案中删除了列表存储区对象函数,因为我是Python的新手,但似乎仍然可以在这一点上工作。
编辑:这是我在cloudwatch中收到的确切错误
An error occurred (AllAccessDisabled) when calling the ListObjects
operation: All access to this object has been disabled: ClientError
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 33, in lambda_handler
编辑2:BUCKET_NAME是一个环境变量。
答案 0 :(得分:1)
我没有正确分配环境变量。正确的语法是
s3 = boto3.resource('s3', 'us-east-1')
bucket_name = os.environ['BUCKET_NAME'] <<<< this variable
bucket = s3.Bucket(bucket_name) <<<<< into here
将环境变量分配给您的lambda代码。
答案 1 :(得分:0)