[英]Why aws lambda function is not able do read object from s3 bucket?
I am trying to read objects from S3 bucket using lambda function cross account, I have added resource based policy for aws lambda to access s3 bucket.我正在尝试使用 lambda 函数跨帐户从 S3 存储桶读取对象,我为 aws lambda 添加了基于资源的策略以访问 s3 存储桶。
But still when i tested my lambda function am seeing access denied error lambda function IAM role has the full access on s3 resources但是当我测试我的 lambda 函数时,我看到访问被拒绝错误 lambda 函数 IAM 角色拥有对 s3 资源的完全访问权限
Your situation appears to be:您的情况似乎是:
You will need to grant access from Account B .您需要从帐户 B 授予访问权限。 The Lambda resource policy will not work because it is in Account A (and therefore cannot grant access to resources in Account B). Lambda 资源策略将不起作用,因为它位于账户 A 中(因此无法授予对账户 B 中资源的访问权限)。
You simply need a Bucket Policy on the bucket that grants access to the Role being used by the Lambda function.您只需要一个存储桶上的存储桶策略,授予对 Lambda 函数使用的角色的访问权限。 The policy would look similar to:该政策将类似于:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantAccessToRole",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:role/my-role"
]
}
}
]
}
Modify the policy to provide the access permissions desired (eg ListBucket).修改策略以提供所需的访问权限(例如 ListBucket)。
The ARN for the role is visible in the IAM console when viewing the Role.查看角色时,该角色的 ARN 在 IAM 控制台中可见。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.