为什么 aws lambda 函数无法从 s3 存储桶读取对象?
[英]Why aws lambda function is not able do read object from s3 bucket?
问题描述
I am trying to read objects from S3 bucket using lambda function cross account, I have added resource based policy for aws lambda to access s3 bucket.
我正在尝试使用 lambda 函数跨帐户从 S3 存储桶读取对象,我为 aws lambda 添加了基于资源的策略以访问 s3 存储桶。
But still when i tested my lambda function am seeing access denied error lambda function IAM role has the full access on s3 resources但是当我测试我的 lambda 函数时,我看到访问被拒绝错误 lambda 函数 IAM 角色拥有对 s3 资源的完全访问权限
1 个解决方案
解决方案1
1 2017-08-03 02:41:12
Your situation appears to be:您的情况似乎是:
- An AWS Lambda function in Account A that is using a Role账户 A 中使用角色的AWS Lambda 函数
- An Amazon S3 bucket in Account B账户 B 中的Amazon S3 存储桶
You will need to grant access from Account B .您需要从帐户 B 授予访问权限。 The Lambda resource policy will not work because it is in Account A (and therefore cannot grant access to resources in Account B). Lambda 资源策略将不起作用,因为它位于账户 A 中(因此无法授予对账户 B 中资源的访问权限)。
You simply need a Bucket Policy on the bucket that grants access to the Role being used by the Lambda function.您只需要一个存储桶上的存储桶策略,授予对 Lambda 函数使用的角色的访问权限。 The policy would look similar to:该政策将类似于:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantAccessToRole",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:role/my-role"
]
}
}
]
}
Modify the policy to provide the access permissions desired (eg ListBucket).修改策略以提供所需的访问权限(例如 ListBucket)。
The ARN for the role is visible in the IAM console when viewing the Role.查看角色时,该角色的 ARN 在 IAM 控制台中可见。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.