对S3存储桶的IAM策略的权限被拒绝

时间:2019-06-27 13:37:32

标签: amazon-web-services amazon-s3 aws-lambda

我正在尝试使用Resize Images on the Fly with Amazon S3, AWS Lambda, and Amazon API Gateway | AWS Compute Blog设置调整大小的图像lambda。

但是,IAM策略不起作用。它无权访问S3存储桶。

我在IAM策略模拟器(测试S3 PutObject)中对其进行了测试,并显示Implicitly denied (not matching statements)

我根据Grant a Lambda Execution Role Access to an Amazon S3 Bucket编辑了该策略,但是它给了我同样的错误。

这是我的存储桶策略(已编辑,将其更改为以下角色,而不是root角色,但仍通过IAM Policy Stimulator拒绝了):

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucketname/*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<my-account-number>::role/<my-role-name>"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucketname",
                "arn:aws:s3:::mybucketname/*"
            ]
        }
    ]
}

这是我的IAM角色政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucketname/*",
                "arn:aws:s3:::mybucketname"
            ]
        }
    ]
}

这是我的S3重定向规则:

<RoutingRules>
  <RoutingRule>
    <Condition>
      <KeyPrefixEquals/>
      <HttpErrorCodeReturnedEquals>404</HttpErrorCodeReturnedEquals>
    </Condition>
    <Redirect>
      <Protocol>https</Protocol>
      <HostName>MYAPIENDPOINT.eu-west-1.amazonaws.com</HostName>
      <ReplaceKeyPrefixWith>default/resize?key=</ReplaceKeyPrefixWith>
      <HttpRedirectCode>307</HttpRedirectCode>
    </Redirect>
  </RoutingRule>
</RoutingRules>

1 个答案:

答案 0 :(得分:0)

您确定Lambda函数以root用户身份运行吗? (我什至不知道这是否可能,但您可能不想这样做)

您可以使用以下命令找出Lambda函数的角色:

aws lambda get-function-configuration --function-name YOUR_FUNCTION_NAME | grep Role

您看到的值就是您的存储桶策略中应使用的值:

    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::<my-account-number>:role/service-role/foo-bar-baz"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::mybucketname",
            "arn:aws:s3:::mybucketname/*"
        ]
    }