对于上下文,我正在使用无服务器框架,因此发生了一些事情:
ListBucket
到存储桶ARN作为资源GetObject
,PutObject
DeleteObjet
到存储桶ARN作为/*
前缀的资源我有以下iamRoleStatements
部分:
- Effect: "Allow"
Action:
- "s3:ListBucket"
Resource:
- Fn::Join:
- ""
- - "arn:aws:s3:::"
- Ref: StaticSiteBucket
- Effect: "Allow"
Action:
- "s3:GetObject"
- "s3:PutObject"
- "s3:DeleteObject"
- "s3:GetObjectVersionTagging"
- "s3:PutObjectVersionTagging"
Resource:
- Fn::Join:
- ""
- - "arn:aws:s3:::"
- Ref: StaticSiteBucket
- "/*"
我实际上可以确认它对生成的角色产生了以下策略:
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name-here"
],
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersionTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::bucket-name-here/*"
],
"Effect": "Allow"
}
有了这个,我运行了lambda函数以在该存储桶上执行putObject
。得到一个'Access denied error'
,所以我想如果存储桶本身需要允许写什么,所以我对存储桶策略包括了一条写语句:
StaticSiteBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
BucketName: ${self:service}-static-site-${self:provider.stage}
WebsiteConfiguration:
IndexDocument: index.html
StaticSiteBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: StaticSiteBucket
PolicyDocument:
Statement:
- Sid: PublicReadGetObject
Effect: Allow
Principal: "*"
Action:
- s3:GetObject
Resource:
Fn::Join: [
"", [
"arn:aws:s3:::",
{
"Ref": "StaticSiteBucket"
},
"/*"
]
]
- Sid: AllowLambdaRoleWrite
Effect: Allow
Action:
- "s3:GetObject"
- "s3:PutObject"
- "s3:DeleteObject"
- "s3:GetObjectVersionTagging"
- "s3:PutObjectVersionTagging"
Principal:
AWS:
- Fn::GetAtt: [ IamRoleLambdaExecution, Arn ]
Resource:
Fn::Join:
- ""
- - "arn:aws:s3:::"
- Ref: StaticSiteBucket
- "/*"
哪个会在S3存储桶中生成以下策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name-here/*"
},
{
"Sid": "AllowLambdaRoleWrite",
"Effect": "Allow",
"Principal": {
"AWS": "<role-arn>"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersionTagging",
"s3:PutObjectVersionTagging"
],
"Resource": "arn:aws:s3:::bucket-name-here/*"
}
]
}
所以,我尝试了一下:
我想念什么?
答案 0 :(得分:1)
要考虑的一些想法:
答案 1 :(得分:0)
所以我的情况是:
getObjectTagging
和putObjectTagging
动作。适用于有类似问题的任何人。请在下面阅读!
从课程中学习(我花了一天半的时间在此上),并意识到Stackoverflow是经验和知识的存储库。
我要指出:
这是我的StaticSiteBucket资源声明现在的样子:
- Effect: "Allow"
Action:
- "s3:ListBucket"
Resource:
- Fn::Join:
- ""
- - "arn:aws:s3:::"
- Ref: StaticSiteBucket
- Effect: "Allow"
Action:
- "s3:GetObject"
- "s3:PutObject"
- "s3:DeleteObject"
- "s3:GetObjectTagging"
- "s3:PutObjectTagging"
Resource:
- Fn::Join:
- ""
- - "arn:aws:s3:::"
- Ref: StaticSiteBucket
- "/*"