由 PUT 触发的 AWS Lambda 到单独账户中的 s3 存储桶 [英] AWS Lambda triggered by PUT to s3 bucket in separate account

问题描述

我正在尝试触发 Lambda 函数以在更新到 s3 存储桶时运行.我试图触发 Lambda 的 s3 存储桶位于单独的 AWS 账户中.

I am trying to trigger a Lambda function to run on update to a s3 bucket. The s3 bucket that I am attempting to have trigger the Lambda is in a separate AWS account.

我尝试过的方法是在具有 s3 存储桶的帐户中设置一个角色，该 s3 存储桶拥有 s3 存储桶的所有权限.然后在 Lambda 的帐户中，我有一个角色在另一个帐户中扮演这样的角色:

The approach I have tried is setting up a role in the account that with the s3 bucket that has all the privileges on the s3 bucket. Then in the account with the Lambda I have a role with assumes the role in the other account like this:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": [
            "arn:aws:iam::..."
        ]
    }
]
}

我无法在存储桶列表中看到触发 Lambda 事件的 s3 存储桶.

I am not able to see the s3 bucket in the list of buckets to trigger the Lambda event.

是否可以在单独的账户中使用 s3 存储桶来触发 Lambda?这是正确的解决方案吗?

Is using a s3 bucket in a separate account to trigger a Lambda possible? Is this the correct solution?

推荐答案

更新: 看来从 S3 跨账户触发 Lambda 函数实际上是可能的.请参阅:为 AWS Lambda 使用基于资源的策略(Lambda 函数策略)

UPDATE: It appears that cross-account triggering of a Lambda function from S3 actually is possible. See: Using Resource-Based Policies for AWS Lambda (Lambda Function Policies)

旧答案:

Amazon S3 可以在将对象添加到存储桶或从中删除对象时触发 AWS Lambda 函数.

Amazon S3 can trigger an AWS Lambda function when objects are added to, or deleted from, a bucket.

但是，此触发器必须在存储桶本身上设置.您将需要存储桶的所有者(或具有足够权限的人)来设置配置以触发 Lambda.

However, this trigger must be setup on the bucket itself. You will need the owner of the bucket (or someone with sufficient permissions) to set the configuration to trigger Lambda.

此外，被调用的 Lambda 函数必须位于与 Amazon S3 存储桶相同的账户.您可以在一个账户中创建一个 Lambda 函数，然后调用另一个账户中的 Lambda 函数(给予足够的权限)，但是账户 A 中的存储桶不可能直接触发账户中的 Lambda 函数B.

Also, the Lambda function being called must be in the same Account as the Amazon S3 bucket. You could create a Lambda function in one account that then calls a Lambda function in another account (given sufficient permissions), but it is not possible for a Bucket in Account A to directly trigger a Lambda function in Account B.

这篇关于由 PUT 触发的 AWS Lambda 到单独账户中的 s3 存储桶的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！