list_object 不适用于 AWS Lambda 的跨账户 [英] list_object not working for cross-account with AWS Lambda
问题描述
我正在尝试使用 AWS Lambda & 从另一个账户中的 S3 路径下载文件Python.如果我提供 copy_object 的完整密钥,我就可以下载文件.这在日常场景中对我不起作用,因为没有通知,我的预定 lambda 代码必须使用通配符检查文件是否存在.但是我在尝试列出该存储桶的内容时遇到访问被拒绝(调用 ListObjects 操作时发生错误(AccessDenied):访问被拒绝)错误,即使我已经获取 &添加了列表权限.
我将以下策略添加到我的 lambda 角色中.
{版本":2012-10-17",声明":[{行动":[s3:获取*",s3:列表*"],资源":["arn:aws:s3::::key/"],效果":允许"}]} 在源存储桶中,他们为我的 lambda 角色添加了以下权限
<代码> {席德":<>效果":允许",校长":{AWS":[arn:aws:iam:::role/LambdaRole"]},行动":[s3:获取*",s3:列表*"],资源":[arn:aws:s3::: 用于拉取文件的 Python 代码
<预><代码>def get_s3_file(事件):s3 = boto3.client('s3')bucket_name = event['Records'][0]['s3']['bucket']['name']file_key = unquote_plus(event['Records'][0]['s3']['object']['key'])file_name = file_key+'test.txt'logger.info('Reading {} from {}'.format(file_key, bucket_name))对象 = s3.list_objects_v2(Bucket=bucket_name, Prefix=file_key)对于对象中的对象:打印(对象.键)如果 object.key.endswith('.txt'):打印(对象.键)copy_source = {'Bucket':bucket_name,'Key':file_name}s3_c.copy_object(Bucket='<my bucket>', Key='/data/', CopySource=copy_source, ACL='bucket-owner-full-control')可能是 KMS 导致的问题.如果 lambda 和存储桶在不同的帐户中,则 lambda 将无法自动访问第二个帐户中的 kms 密钥.您必须修改 KMS 密钥策略 以允许这样做.因此,请尝试将 lambda 角色 arn 添加到第二个帐户的 KMS 策略中.
I'm trying to download a file from S3 path in another account using AWS Lambda & python. I'm able to download the files if I provide full key to the copy_object. This will not work for me on a day-to-day scenario as there's no notification and my scheduled lambda code has to check for the presence of file using wildcards. But I'm getting Access denied(An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied) error while trying to list the contents of that bucket even though I have get & list permissions added.
I have the following policy added to my lambda role.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::<src S3 bucket>/",
"arn:aws:s3:::<src S3 bucket>/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncrypt*",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:us-east-1:<src bucket account id>:key/<src bucket kms key>"
],
"Effect": "Allow"
}
]
}
In the source bucket, they have added the below permissions for my lambda role
{
"Sid": <>,
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<my account id>:role/LambdaRole"
]
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::<src S3 bucket>",
"arn:aws:s3:::<src S3 bucket>/*"
]
},
Python code to pull the file
def get_s3_file(event):
s3 = boto3.client('s3')
bucket_name = event['Records'][0]['s3']['bucket']['name']
file_key = unquote_plus(event['Records'][0]['s3']['object']['key'])
file_name = file_key+'test.txt'
logger.info('Reading {} from {}'.format(file_key, bucket_name))
objects = s3.list_objects_v2(Bucket=bucket_name, Prefix=file_key)
for object in objects:
print(object.key)
if object.key.endswith('.txt'):
print(object.key)
copy_source = {'Bucket': bucket_name,'Key': file_name}
s3_c.copy_object(Bucket='<my bucket>', Key='/data/', CopySource=copy_source, ACL='bucket-owner-full-control')
Probably the issue is due to KMS. If the lambda and bucket are in different accounts, lambda will not have automatically access to kms key in the second account. You have to modify KMS key policy to allow for that. So try adding lambda role arn to the KMS policy in the second account.
这篇关于list_object 不适用于 AWS Lambda 的跨账户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
