S3允许Lambda的政策 [英] S3 Policy to Allow Lambda
问题描述
我对使用AWS策略生成器创建的S3存储桶具有以下策略,以允许以特定角色运行的Lambda访问存储桶中的文件.但是,当我执行Lambda时,我得到403权限被拒绝:
I have the following policy on an S3 bucket created with the AWS policy generator to allow a lambda, running with a specific role, access to the files in the bucket. However, when I execute the Lambda, I get 403 permission denied:
"errorMessage": "Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: <requestId>)",
"errorType": "com.amazonaws.services.s3.model.AmazonS3Exception",
S3存储桶上的策略:
The Policy on the S3 bucket:
{
"Version": "2012-10-17",
"Id": "Policy<number>",
"Statement": [
{
"Sid": "Stmt<number>",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account>:role/<roleName>"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucketName>/*"
}
]
}
该政策出了什么问题? Lamba以策略中配置的角色运行.
What is wrong with the policy? The Lamba is running with the role configured in the policy.
推荐答案
应该为分配给AWS Lambda函数的角色创建一个AWS Lambda角色(在IAM控制台中创建角色时选择该角色) ).
A role assigned to an AWS Lambda function should be created an an AWS Lambda role (selected when creating a Role in the IAM console).
角色没有主体,因为权限已分配给使用该角色的任何服务(在本例中为Lambda函数).
Roles do not have a Principal since the permissions are assigned to whichever service (in this case, Lambda function) is using the role.
此外,您还应该为存储桶本身(例如列出内容)和存储桶的内容(例如GetObject)分配权限.
Also, you should assign permissions on the bucket itself (eg to list contents) and on the contents of the bucket (eg to GetObject).
会是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123XXX:role/service-role/LAMBDA_ROLE_NAME"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
这篇关于S3允许Lambda的政策的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
