【发布时间】:2019-12-14 07:30:50
【问题描述】:
我正在尝试从 AWS CLI 自动化 lambda 创建过程
Lambda 函数创建
aws lambda create-function \
--function-name "$FUNCTION_NAME" \
--runtime "java8" \
--role "$ROLE_ARN" \
--handler "$HANDLER"\
--zip-file "fileb://./$FILE_LOC" \
--environment $ENVS \
--tags $TAGS \
--vpc-config $VPC_CONFIG
授予 S3 权限
aws lambda add-permission \
--function-name "$FUNCTION_NAME" \
--principal "s3.amazonaws.com" \
--statement-id "s3-permission-1" \
--action "lambda:InvokeFunction" \
--source-arn "$S3_BUCKET_ARN" \
--source-account "$ACCOUNT_NUMBER"
启用事件
NOTIFICATION_CONFIGURATIONS='{"LambdaFunctionConfigurations":[{"Id":"my-lambda-function-s3-event-configuration","LambdaFunctionArn":"$LAMBDA_FUNCTION_ARN","Events":["s3:ObjectCreated:*"],"Filter":{"Key":{"FilterRules":[{"Name":"suffix","Value":".log"},{"Name":"prefix","Value":"log/my-app-name"}]}}}]}'
aws s3api put-bucket-notification-configuration\
--bucket "$S3_BUCKET_ARN" \
--notification-configuration "$NOTIFICATION_CONFIGURATIONS"
启用事件给我以下错误
调用时发生错误 (AccessDenied) PutBucketNotificationConfiguration 操作:拒绝访问
即使我有如下的完全访问权限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "eZeBoI3Gq6v1wHImT01j",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:List*",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectAclVersion",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:Get*"
],
"Resource": [
"S3_BUCKET_ARN/*",
"S3_BUCKET_ARN"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListObjects"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": [
"LAMBDA-FUNCTION-ARN*"
]
}
]
}
【问题讨论】:
标签: amazon-s3 aws-lambda aws-cli