[英]Configuring AWS Lambda to access S3 Bucket
I just can't figure out what is wrong with my Bucket Policy in AWS. 我无法弄清楚我在AWS中的Bucket Policy有什么问题。 Trying to let a Lambda function to access and read an email from the S3 Bucket.
尝试让Lambda函数访问并读取S3 Bucket中的电子邮件。 But I keep getting "Access Denied"
但我一直得到“拒绝访问”
Please note that I notice the email file is being created in the bucket. 请注意,我注意到正在存储桶中创建电子邮件文件。 Here is my last version of the Bucket Policy :
这是我最后一个版本的Bucket Policy :
{
"Version": "2012-10-17",
"Id": "Lambda access bucket policy",
"Statement": [
{
"Sid": "All on objects in bucket lambda",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[MY NUMBER]:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::[MY BUCKET NAME]/*"
}
]
}
I have tried also with "Principal": {"Service": "ses.amazonaws.com"}, alas 我也试过“校长”:{“服务”:“ses.amazonaws.com”},唉
I keep getting Access Denied : 我一直拒绝访问 :
2017-09-17T14:12:14.231Z 10664101-9bb2-11e7-ad43-539f3e1a8626
{
"errorMessage": "Access Denied",
"errorType": "AccessDenied",
"stackTrace": [
"Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:577:35)",
"Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:105:20)",
"Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)",
"Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)",
"Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
"AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
"/var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
"Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
"Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)",
"Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:115:18)"
]
}
And here is my Lambda function : 这是我的Lambda函数 :
var AWS = require('aws-sdk');
var s3 = new AWS.S3();
var bucketName = '[MY BUCKET NAME]';
exports.handler = function(event, context, callback) {
console.log('Process email');
var sesNotification = event.Records[0].ses;
if(!sesNotification) {
callback(null, null);
return;
}
console.log("SES Notification:\n", JSON.stringify(sesNotification, null, 2));
// Retrieve the email from your bucket
s3.getObject({
Bucket: bucketName,
Key: sesNotification.mail.messageId
}, function(err, data) {
if (err) {
console.log(err, err.stack);
callback(err);
} else {
console.log("Raw email:\n" + data.Body);
// Custom email processing goes here
callback(null, null);
}
});
};
After long time and many versions of the Bucket Policy I am thinking of trying another solution and drop AWS. 经过很长时间和许多版本的Bucket Policy我正在考虑尝试另一种解决方案并放弃AWS。
Any ideas ? 有任何想法吗 ?
You need to create an IAM role and attach it to the Lambda function with S3FullAccess
policy or with finegrained permission for the specific bucket and actions (Recommended). 您需要创建IAM角色并使用
S3FullAccess
策略将其附加到Lambda函数,或者使用特定存储桶和操作的S3FullAccess
权限(推荐)。
Also make sure trust relationship configuration is added to the role. 还要确保将信任关系配置添加到角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
}
}
]
}
Note: In your current setup, it seems like you have configured the bucket policy which grants read access to the root user. 注意:在当前设置中,您似乎已配置了桶策略,该策略授予root用户读取权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.