Lambda函数写入S3-访问S3的IAM策略

时间:2019-07-09 08:34:00

标签: amazon-web-services amazon-s3 amazon-iam

这是我的策略,该策略授予仍然无法写入S3存储桶的读/写访问权限

问题

仍然出现以下错误:

  

无法将/tmp/test.txt上传到存储桶名称/ Automation_Result_2019-07-09 04:20:32_.csv:调用PutObject操作时发生错误(AccessDenied):访问被拒绝

政策 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ConsoleAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": [
                "arn:aws:s3:::bucketname"
            ]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": [
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

时段政策 

{
    "Version": "2012-10-17",
    "Id": "MYBUCKETPOLICY",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

Python代码(在Lambda函数中) 代码的相关部分

s3 = boto3.resource('s3', config=Config(signature_version='s3v4'))

target_bucket = 'bucket-name'
target_file = "Output/Automation_Result_"+EST+"_.txt"

s3.meta.client.upload_file('/tmp/test.txt', target_bucket, target_file, ExtraArgs={"ServerSideEncryption": "aws:kms", "SSEKMSKeyId":"XXXXXXX-XXXX-XXXX" })

这是我的存储桶公共访问的外观!

This is how my bucket public access looks like..

1 个答案:

答案 0 :(得分:1)

对我来说很好!

我接受了您的策略,将存储桶重命名并将其作为唯一策略附加到用户。

然后,我能够成功从存储桶中复制对象。

如果它不适合您,则说明您未使用与此策略关联的凭据,或者存在其他阻止访问的策略,例如 Deny 策略或范围限制政策。

相关问题
最新问题