为什么我的lambda函数在尝试访问S3 bucket时被拒绝访问?
- lambda执行角色具有对51个函数的s3访问权限,包括ListBuckets和所有其他读操作。
- 我的S3 bucket有一个允许从lambda角色访问的策略。(反正是在同一个帐户中,所以我不认为这是必需的)。
- 我甚至只是为了好玩才让桶公共访问。
这是λ码。我不知道为什么bucket.objects.all()无法访问S3。
message = 'Hello {}!'.format(event['Records'][0]['s3']['bucket']['name'])
print(message)
bucket = s3.Bucket('my-bucketname-demo')
# this works
print(bucket.creation_date)
# this fails on access denied
# Iterates through all the objects, doing the pagination for you. Each obj
# is an ObjectSummary, so it doesn't contain the body. You'll need to call
# get to get the whole body.
for obj in bucket.objects.all():
key = obj.key
body = obj.get()['Body'].read()
print(key)
print(body)
return {
'statusCode': 200,
'body': json.dumps('Hello from Lambda!')
}
Lambda执行角色策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:GetStorageLensConfigurationTagging",
"s3:GetObjectVersionTorrent",
"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetBucketObjectLockConfiguration",
"s3:GetIntelligentTieringConfiguration",
"s3:GetBucketRequestPayment",
"s3:GetAccessPointPolicyStatus",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:ListBucketMultipartUploads",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:GetJobTagging",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetStorageLensConfiguration",
"s3:GetObjectTorrent",
"s3:DescribeJob",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetAccessPointPolicy",
"s3:GetObjectVersion",
"s3:GetStorageLensDashboard"
],
"Resource": "arn:aws:s3:::my-bucket-demo/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:GetAccessPoint",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:ListObjects"
],
"Resource": "*"
}
]
}
共有1个答案
您当前的资源ARN:AWS:S3:::my-bucket-demo/*仅表示my-bucket-demo中的对象。随后,与bucket相关的任何操作(例如listbucket)都不适用。您应该将bucket资源``arn:aws:s3:::my-bucket-demo`添加到策略中:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:GetStorageLensConfigurationTagging",
"s3:GetObjectVersionTorrent",
"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetBucketObjectLockConfiguration",
"s3:GetIntelligentTieringConfiguration",
"s3:GetBucketRequestPayment",
"s3:GetAccessPointPolicyStatus",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:ListBucketMultipartUploads",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:GetJobTagging",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetStorageLensConfiguration",
"s3:GetObjectTorrent",
"s3:DescribeJob",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetAccessPointPolicy",
"s3:GetObjectVersion",
"s3:GetStorageLensDashboard"
],
"Resource": ["arn:aws:s3:::my-bucket-demo",
"arn:aws:s3:::my-bucket-demo/*"]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:GetAccessPoint",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:ListObjects"
],
"Resource": "*"
}
]
}
-
我有一个lambda函数,它使用一个具有以下策略摘录的角色 我的桶策略如下所示 我在角色和bucket策略上都允许使用GetObject和ListBucket。但是,当我的函数运行时 我明白了 [错误]ClientError:调用GetObject操作时发生错误(AccessDenied):拒绝访问 我还需要添加哪些权限?对象就在那里,当我使用管理员角色在本地运行代码时,我可以得到它。 最新消息
-
我在Lambda函数上收到来自S3 AWS服务的acccess denied错误。 这是代码: 这是CloudWatch上的错误: 这是堆栈错误: 没有关于S3的任何其他描述或信息,桶权限允许每个人、放置、列表和删除。 我可以做什么来访问S3桶? PS:在Lambda事件属性上,主体是正确的,并且具有管理特权。
-
我有两个AWS账户。帐户1有一个CloudSearch域,我需要从帐户2中的Lambda函数查询该域。我遵循了一个教程,在Account1中创建一个允许跨帐户访问的角色。 因此,在帐户1中,我有一个角色,如下所示: 此角色有一个受信任的实体,即帐户2,我可以在IAM控制台中该角色的受信任实体部分下看到正确的帐户ID。 在帐户2中,我创建了一个Lambda函数,其执行角色如下所示: 我的Lambda
-
问题内容: 这是我的编辑从第27行到第39行的代码: 我认为我的问题可能与Win7教授有关:(访问被拒绝) 如何解决这个问题,或者我需要做些什么或阅读才能使它起作用? 谢谢你不燃烧。 我只是更改了文件夹选项,使我获得完整的(Access …),现在我只需要弄清楚为什么在运行javac VendingMachine.java时为什么没有得到任何输出,我想是有一个新问题。 问题答案: 您的工作目录为。
-
问题内容: 我正在尝试读取文件夹中的文件,但是当我运行该程序时,它将引发此异常。我也尝试了其他一些文件夹。它引发相同的异常。 问题答案: 您无法打开和读取目录,无法使用和方法区分文件和文件夹。您可以使用和方法获取文件夹的内容(分别用于文件名和s),还可以指定一个过滤器来选择列出的文件的子集。
-
我正在使用wamp服务器,我的phpMyAdmin页面返回了以下错误。 Wamp服务器版本:2.2 MySQL版本:5.5.24 #1045-用户“root”@“本地主机”的访问被拒绝(使用密码:是) 我编辑了我的配置文件wamp\app\phpmyadmin4.1.14\config.inc.php: 但这并没有解决问题。任何帮助都将不胜感激。