使用 javascript 中的 AWS SDK copyobject 方法将对象从一个存储桶复制到不同账户中的另一个存储桶的 Lambda [英] Lambda that copy object from one bucket to another in different accounts using AWS SDK copyobject method in javascript
问题描述
我想使用 copyObject
方法将对象从 account-1
中的存储桶复制到 account-2
中的其他存储桶lambda 中的 AWSJavaScriptSDK.现在它的工作原理是允许 account-1
中的 lambda 角色使用 s3 存储桶策略写入帐户 account-2
中的存储桶.问题是,在 account-2
中,我们有很多存储桶,我们希望避免每次创建一个写入或读取其中一个的 lambda 时都向每个存储桶添加权限.
I would like to copy objects from the bucket in account-1
to the other buckets in account-2
using the copyObject
method of the AWSJavaScriptSDK in a lambda. Right now it works by allowing the lambda role in account-1
to write in the bucket in account account-2
using the s3 bucket policies. The thing is that in the account-2
we have a lot of buckets and we want to avoid adding permission to each of them every time that we create a lambda that writes or read in one of them.
我正在尝试让 account-1
中的 lambda 承担具有在 account-2
中写入和读取权限的角色,如下所示.
I'm trying that the lambda in the account-1
assume the role with the permissions to write and read in the account-2
as follows.
在
account-2
中,我有一个名为s3-account-2-full-access
的角色和AmazonS3FullAccess
策略以及以下信任关系:
In the
account-2
I have the role calleds3-account-2-full-access
with theAmazonS3FullAccess
policy and the following trusted relationship:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::11111111111:role/lambda-account-1-role"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
在 account-1
中,我有 lambda-account-1-role
并附加了以下策略.
In the account-1
I have the lambda-account-1-role
with the following policy attached.
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::22222222222:role/s3-account-2-full-access"
}
]
}
在 lambda 中,我承担如下角色:
In the lambda I'm assuming the role as follows:
const sts = new AWS.STS();
exports.handler = async (event) => {
const timestamp = (new Date()).getTime();
var sts_params = {
RoleArn: 'arn:aws:iam::22222222222:role/s3-account-2-full-access',
RoleSessionName: `id-${timestamp}`,
DurationSeconds: 3600,
};
const { Credentials } = await sts.assumeRole(sts_params).promise();
const { AccessKeyId, SecretAccessKey, SessionToken } = Credentials;
const accessparams2 = {
accessKeyId: AccessKeyId,
secretAccessKey: SecretAccessKey,
sessionToken: SessionToken,
};
var s3 = new AWS.S3(accessparams2);
var params = {
Bucket: "account-2-bucket",
CopySource: "/account-1-bucket/file.txt",
Key: "file.txt"
};
const result = await s3.copyObject(params).promise();
const response = {
statusCode: 200,
body: JSON.stringify(result),
};
return response;
};
这里的问题是我在 copyObject
期间收到错误 AccessDenied
.也许我误解了一些东西,但我不知道如何将对象从帐户 1 复制到帐户 2,而不必编辑帐户 2 中的存储桶策略.
The thing here is that I'm getting the error AccessDenied
during the copyObject
. Maybe I'm misunderstanding something, but I can't figure out how I could copy the objects from account-1 to account-2 without having to edit the bucket policy in account-2.
推荐答案
您需要使用刚刚获得的代入角色权限执行 S3,我认为您缺少它:)
You need to execute S3 with the assume role permissions that you just get, I think that you are missing it :)
var s3 = new AWS.S3(accessparams2);
作为奖励积分:
- 您在每次 lambda 执行中都扮演角色并实例化 s3 对象,这不是必需的,您可以在处理程序函数中执行此操作以提高性能
- nodejs SDK 用于每个对象都有一个
.promise()
方法,因此您可能可以执行以下操作以避免getCrossAccountCredentials
函数(就像您在 s3 调用中所做的那样):const data = await sts.assumeRole(sts_params).promise();
- You are assuming role and instantiate the s3 object in every lambda execution, this is not necessary, you can do it out of your handler function to improve performance
- nodejs SDK use to have a
.promise()
method for every object so you probably can do something like the following to avoid the ugly Promise/callback thing in yourgetCrossAccountCredentials
function (as you do with your s3 call):const data = await sts.assumeRole(sts_params).promise();
这篇关于使用 javascript 中的 AWS SDK copyobject 方法将对象从一个存储桶复制到不同账户中的另一个存储桶的 Lambda的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!