我正在尝试使用Resize Images on the Fly with Amazon S3, AWS Lambda, and Amazon API Gateway | AWS Compute Blog设置调整大小的图像lambda。
但是,IAM策略不起作用。它无权访问S3存储桶。
我在IAM策略模拟器(测试S3 PutObject)中对其进行了测试,并显示Implicitly denied (not matching statements)
。
我根据Grant a Lambda Execution Role Access to an Amazon S3 Bucket编辑了该策略,但是它给了我同样的错误。
这是我的存储桶策略(已编辑,将其更改为以下角色,而不是root角色,但仍通过IAM Policy Stimulator拒绝了):
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucketname/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my-account-number>::role/<my-role-name>"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname",
"arn:aws:s3:::mybucketname/*"
]
}
]
}
这是我的IAM角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname/*",
"arn:aws:s3:::mybucketname"
]
}
]
}
这是我的S3重定向规则:
<RoutingRules>
<RoutingRule>
<Condition>
<KeyPrefixEquals/>
<HttpErrorCodeReturnedEquals>404</HttpErrorCodeReturnedEquals>
</Condition>
<Redirect>
<Protocol>https</Protocol>
<HostName>MYAPIENDPOINT.eu-west-1.amazonaws.com</HostName>
<ReplaceKeyPrefixWith>default/resize?key=</ReplaceKeyPrefixWith>
<HttpRedirectCode>307</HttpRedirectCode>
</Redirect>
</RoutingRule>
</RoutingRules>
答案 0 :(得分:0)
您确定Lambda函数以root用户身份运行吗? (我什至不知道这是否可能,但您可能不想这样做)
您可以使用以下命令找出Lambda函数的角色:
aws lambda get-function-configuration --function-name YOUR_FUNCTION_NAME | grep Role
您看到的值就是您的存储桶策略中应使用的值:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my-account-number>:role/service-role/foo-bar-baz"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname",
"arn:aws:s3:::mybucketname/*"
]
}