【发布时间】:2016-05-06 04:01:51
【问题描述】:
我确定我已将我的 Lambda 设置为对私有存储桶具有读/写访问权限;更具体地说,我的 lambda 将执行 s3.headObject 和 s3.upload。让这个工作我缺少什么?
我的 Lambda 政策:
{
"Statement": [
{
"Resource": "arn:aws:logs:us-east-1:*:*",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow"
},
{
"Resource": "arn:aws:s3:::PRIVATE_BUCKET/folder_name/*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
我的 S3 存储桶政策:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Bucket that is read-accessible internally",
"Parameters" : {
"Environment" : {
"Description" : "dev",
"Type" : "String",
"Default" : "dev",
"AllowedValues" : [ "dev" ]
}
},
"Resources" : {
"PrivateBucket" : {
"Type" : "AWS::S3::Bucket",
"DeletionPolicy" : "Retain",
},
"PrivateBucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "Make anonymous read-only access available on certain networks",
"Statement" : [
{
"Sid" : "IPAllow",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [
"s3:ListBucket",
"s3:GetObject"
],
"Resource" : [
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "PrivateBucket" } ] ] },
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "PrivateBucket" }, "/*" ] ] }
],
"Condition" : {
"IpAddress" : {
"aws:SourceIp" : [
"ip/cid/r",
"ip/cid/r",
"ip/cid/r",
"ip/cid/r",
"ip/cid/r"
]
}
}
}
]
},
"Bucket" : { "Ref" : "PrivateBucket" }
}
}
}
}
【问题讨论】:
-
您能否创建一个用户,附加 Lambda 的策略,看看该用户是否可以访问您的存储桶?
-
@helloV 不知道该怎么做?据我所见,我们所有的 cf 脚本本身都包含策略内容
-
您还需要为 ListBucket 操作添加权限。你可以试试吗?
-
@ketan 我试试看;但是“getObject”不涵盖“headObject”吗?
-
我说的是list-bucket,而不是get-object。这两个是不同的东西。
标签: amazon-web-services amazon-s3 aws-lambda serverless-framework