terraform/aws lambda 函数访问在 s3 上被拒绝答案

【问题标题】：terraform/aws lambda function access denied on s3terraform/aws lambda 函数访问在 s3 上被拒绝
【发布时间】：2021-05-19 18:07:39
【问题描述】：

使用 terraform 测试 AWS 实例调度程序。代码here

看起来我的代码出现了这个错误：

错误：等待创建 CloudFormation 堆栈时出错：未能创建 CloudFormation 堆栈，请求回滚 (ROLLBACK_COMPLETE)：[“未能创建以下资源：[主要]。用户请求回滚。” “您的访问已被 S3 拒绝，请确保您的请求凭据对解决方案-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip 的 GetObject 具有权限。S3 错误代码： AccessDenied.S3 错误消息：访问被拒绝（服务：AWSLambdaInternal；状态代码：403；错误代码：AccessDeniedException；请求 ID：731b7c0d-cda9-4f9e-b821-efed4cbced46；代理：null）"]

下面是部分代码：IAM policy

"InstanceSchedulerEncryptionKeyAlias": {
    "Type": "AWS::KMS::Alias",
    "Properties": {
        "AliasName": "alias/instance-scheduler-encryption-key",
        "TargetKeyId": {
            "Ref": "InstanceSchedulerEncryptionKey"
        }
    }
},
"SchedulerPolicy": {
    "Type": "AWS::IAM::Policy",
    "Metadata": {
        "cfn_nag": {
            "rules_to_suppress": [
                {
                    "id": "W12",
                    "reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions."
                }
            ]
        }
    },
    "Properties": {
        "PolicyName": "SchedulerPolicy",
        "Roles": [
            {
                "Ref": "SchedulerRole"
            }
        ],
        "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "logs:CreateLogGroup",
                        "logs:CreateLogStream",
                        "logs:PutLogEvents",
                        "logs:PutRetentionPolicy",
                        "logs:*"
                    ],
                    "Resource": [
                        {
                            "Fn::Join": [
                                ":",
                                [
                                    "arn:aws-us-gov:logs:*:*:*",
                                    {
                                        "Ref": "AWS::Region"
                                    },
                                    {
                                        "Ref": "AWS::AccountId"
                                    },
                                    "log-group",
                                    {
                                        "Ref": "SchedulerLogGroup"
                                    },
                                    "*"
                                ]
                            ]
                        },
                        {
                            "Fn::Join": [
                                ":",
                                [
                                    "arn:aws-us-gov:logs:*:*:*",
                                    {
                                        "Ref": "AWS::Region"
                                    },
                                    {
                                        "Ref": "AWS::AccountId"
                                    },
                                    "log-group:/aws/lambda/*"
                                ]
                            ]
                        }
                    ]
                },
                {   "Effect": "Allow",
                    "Action": [
                        "s3:*"
                    ],
                    "Resource": [
                        "arn:aws-us-gov:s3:::*"
                    ]
                },

IAM 角色

 "SchedulerRole": {
    "Type": "AWS::IAM::Role",
    "Properties": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "lambda.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                },
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "events.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        },
        "Path": "/"
    }
},

我确定我的代码格式不正常，或者我在 s3 的角色或政策中遗漏了某些内容。在这里查找类似的问题，并将感谢任何关于我的代码的指针。我知道我很接近。

【问题讨论】：

标签： amazon-web-services aws-lambda terraform amazon-iam

【解决方案1】：

您的 SchedulerPolicy 中的连接存在问题。您需要删除尾随的*:*:*。

"Fn::Join": [
":",
[
    "arn:aws-us-gov:logs:*:*:*",
    {
        "Ref": "AWS::Region"
    },
    {
        "Ref": "AWS::AccountId"
    },
    "log-group:/aws/lambda/*"
]
]

通过上述连接，您将得到一个字符串arn:aws-us-gov:logs:*:*:*:us-east-1:0987654321:log-group:/aws/lambda/*，而不是预期的arn:aws-us-gov:logs:us-east-1:0987654321:log-group:/aws/lambda/*

【讨论】：

【解决方案2】：

您无权访问this s3 object，因为您正在尝试使用本期分享的代码Is gov-Cloud supported? #11

“S3Key”：“aws-instance-scheduler/v1.3.1/instance-scheduler.zip”

该对象不再可用

$ curl -I https://aws-instance-scheduler.s3.amazonaws.com/v1.3.0/instance-scheduler.zip
HTTP/1.1 403 Forbidden
x-amz-request-id: 2663CDC7E74E1BE8
x-amz-id-2: GsWrKdNtOqqUdqR6wfWJ0pZGPqlhHD17rFvfCsqsQB09V+T3SGAc+V+HCTCIU8mj501Sbn4K7sA=
Content-Type: application/xml
Date: Tue, 16 Feb 2021 21:14:38 GMT
Server: AmazonS3

错误的意思是一样的。

您的访问已被 S3 拒绝，请确保您的请求凭证有权 GetObject for solutions-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip。

如果您以某种方式获得了代码并上传到存储桶，您可以更新您的函数，如下所示：


{
..
        "MyFunction": {
            "Type": "AWS::Lambda::Function",
            "Properties": {
                "Code": {
                    "S3Bucket": BUCKETNAME,
                    "S3Key": "aws-instance-scheduler/v1.3.1/instance-scheduler.zip"
                }
            }
        }
    }
}

【讨论】：

感谢您的反馈。我按照问题中列出的步骤进行操作，能够按指示获取 zip，并且能够在堆栈创建中达到一个好点。然而，它卡住了 3500 万，然后因Error: Custom Resource failed to stabilize in expected time. If you are using the Python cfn-response module, you may need to update your Lambda function code so that CloudFormation can attach the updated version. 任何指针而失败！！