我最初将SES设置为接收电子邮件,在此过程中,我创建了一个存储桶策略,该策略允许服务将电子邮件放入S3。我现在有一个lambda函数,该函数应该能够使用STS承担角色并访问同一存储桶。不幸的是,我无法弄清楚允许服务和IAM角色访问同一存储桶的正确策略,现在我会收到“访问被拒绝”的信息。我使用策略模拟器来验证其他所有功能是否均应正常运行,例如,我添加了一个通用策略,对目标角色进行了更多操作,如果我告诉模拟器忽略存储桶策略,则它表示它可以访问文件。
我尝试过两个语句,一个语句的主体设置为“服务”,另一个语句设置为目标角色(添加了两个语句只是为了看看其中一个是否可行)
{
"Version": "2012-10-17",
"Id": "Policy1478013193612",
"Statement": [
{
"Sid": "Stmt1478013187203",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::email-01-bucket/*"
},
{
"Sid": "Stmt55",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:sts::[id-num-with-no-dashes]:assumed-role/[role-name]/[session-name]",
"arn:aws:iam::[id-num-with-no-dashes]:role/[role-name]"
]
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::email-01-bucket/*"
}
]
}
我还尝试将其放在1条语句中:
{
"Version": "2012-10-17",
"Id": "Policy1478013193612",
"Statement": [
{
"Sid": "Stmt1478013187203",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:sts::[id-num-with-no-dashes]:assumed-role/[role-name]/[session-name]",
"arn:aws:iam::[id-num-with-no-dashes]:role/[role-name]"
],
"Service": "ses.amazonaws.com"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::email-01-bucket/*"
}
]
}
顺便说一句,文件路径是: arn:aws:s3 ::: email-01-bucket / email / [file-id]
我无法放入ListBucket,因为它会引发错误。
感谢您的帮助:D
让我知道是否应该添加其他内容
[更新]
为了简化查找正确策略的工作,我将介绍IAM策略模拟器中当前设置的内容,我假设如果可以在这里运行它,那么它应该可以在lambda函数上工作。
角色:serviceDev
此角色附加了两个策略。
1)serviceFS:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketLogging",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::email-01-bucket/*"
}
]
}
2)AWSLambdaBasicExecutionRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
在策略模拟器中:
下拉列表Select Service设置为S3
下拉列表Select Action设置为GetObject
在Resource> Object下,键入现有文件arn:aws:s3:::email-01-bucket/email/u245hnt85uivpfkrrlhgo0jt86gfjgnca2fgocg1的路径(在仔细检查文件是否确实存在之后)
执行完此操作后,左侧会出现一个Resource Policies部分,向我显示使用以下策略连接到我的存储桶的存储桶策略:
{
"Version": "2012-10-17",
"Id": "Policy1478013193612",
"Statement": [
{
"Sid": "Stmt1478013187203",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::email-01-bucket/*"
}
]
}
现在这是我迷路的地方,回到Resource> Object区域,在该区域中指定现有文件的路径,如果我< em> uncheck ,然后模拟器说如果我 check ,则允许该权限,但是出现以下错误:
Include Resource Policy
答案 0 :(得分:2)
据我所知,您需要一个S3存储桶策略(以允许SES将对象放入您的S3存储桶),并且需要一个IAM角色,您的Lambda函数将使用该角色列出该存储桶并放置/获取该存储桶中的对象。 IAM角色还需要一个信任关系,以使AWS Lambda Service可以代表您承担角色(这样您就不必在代码中手动承担该角色)。
特别是:
S3存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/*",
"Condition": {
"StringEquals": {
"aws:Referer": "AWSACCOUNTID"
}
}
}
]
}
IAM角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sidlist",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::BUCKET-NAME"
},
{
"Sid": "sidputget",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::BUCKET-NAME/*"
}
]
}
IAM角色上的信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
我不确定您为什么在示例中包含s3:PutBucketLogging,但是如果您确实需要它,则将其添加到Lambda的IAM角色中,以arn:aws:s3 :::: BUCKET-NAME资源(而不是arn: aws:s3 ::: BUCKET-NAME / *资源-这是对存储桶的操作,而不是对对象的操作)