堆栈内存溢出
  简体   繁体   English

为什么我的访问密钥会更改? (使用适用于Lambda的AWS javascript和node.js API)

[英]Why is my access key changing? (using AWS javascript & node.js APIs for Lambda)

 原文  2017-11-20 16:22:29       javascript/ node.js/ amazon-s3/ aws-lambda/ aws-sdk

问题描述

In client-side javascript, I set: 在客户端javascript中,我设置了: 

    AWS.config.credentials = { 
        "accessKeyId": ak,  // starts with "AKIA..."
        "secretAccessKey": sk // something long and cryptic
    };

Then eventually call 然后最终致电 

    var lambda = new AWS.Lambda({apiVersion: '2015-03-31'});
    var params = {
      FunctionName: 'my-function-name',
      InvokeArgs : my_data
    };
    lambda.invokeAsync(params, function(err, data) {
    ...

The HTML request seems to contain the correct access key: HTML请求似乎包含正确的访问密钥: 

    authorization:AWS4-HMAC-SHA256 Credential=AKIA...

And in server-side node.js, I don't manually set any AWS credentials, with the understanding that setting them in the client-side is sufficient, as: 而且在服务器端的node.js中,我不会手动设置任何AWS凭据,但要了解,在客户端设置它们就足够了,例如: 

   var AWS = require('aws-sdk');
   var s3 = new AWS.S3();
   ...

Following the request, the server's upload handler gets called as expected, but within that handler, s3.putObject() fails with an Access Denied error. 发出请求后,服务器的上载处理程序将按预期方式被调用,但是在该处理程序中, s3.putObject()失败,并显示“访问被拒绝”错误。 Trying to debug this, I added console.log(AWS.config.credentials) to the upload handler, and Cloudwatch is showing: 为了进行调试,我将console.log(AWS.config.credentials)添加到了上载处理程序,Cloudwatch显示了: 

    accessKeyId: 'ASIA...

I don't recognize the accessKeyId that is shown, and it certainly doesn't match the one provided in the request header. 我无法识别显示的accessKeyId,并且它肯定与请求标头中提供的不匹配。 Am I doing something wrong here, or is this expected behavior? 我在这里做错了,还是这种预期的行为?

1 个解决方案

解决方案1
 1 已采纳  2017-11-20 16:51:02

The Lambda function does not use the AWS credentials you used in your client-side JavaScript code. Lambda函数不使用您在客户端JavaScript代码中使用的AWS凭证。 The credentials in your client-side code were used to issue a Lambda.invoke() command to the AWS API. 客户端代码中的凭证用于将Lambda.invoke()命令发布到AWS API。 In this context, the credentials you are using on the client-side only need the Lambda invoke permission. 在这种情况下,您在客户端使用的凭据仅需要Lambda调用权限。

Your Lambda function is then invoked by AWS Lambda service. 然后,AWS Lambda服务将调用您的Lambda函数。 The Lambda service will attach the IAM Execution Role to the invocation that you specified when you created/configured the Lambda function. Lambda服务会将IAM执行角色附加到您在创建/配置Lambda函数时指定的调用。 That IAM Execution Role is what needs to have the appropriate S3 access. IAM执行角色是需要具有适当的S3访问权限的角色。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 同步Node.js API和AWS Lambda - Synchronous Node.js APIs and AWS Lambda 如何在node.js javascript中限制对apis的访问? - How restrict access to apis in node.js javascript? 为什么AWS Lambda Node.js示例包含键为“ S:”和“ N:”之类的javascript对象? - Why does AWS Lambda Node.js example include javascript objects with keys like “S:” and “N:”? 为什么我的代码可以在标准 Node.js 文件中运行,而不能在 AWS Lambda 函数中运行? - Why can my code run in a standard Node.js file, but not in a AWS Lambda Function? 将Node.js API与AWS Lambda混合 - Mixing Node.js API with AWS Lambda aws lambda 中的简单 node.js 示例 - simple node.js example in aws lambda AWS Lambda Node.js Object 绑定 - AWS Lambda Node.js Object Binding AWS Lambda 和 DynamoDB 上的 Node.js - Node.js on AWS Lambda and DynamoDB 如何使用Javascript(Node.js)读取通过Http Post发送的变量值并在AWS API Gateway Lambda上获取? - How to read variable value sent over Http Post and Get on AWS API Gateway Lambda using Javascript(Node.js)? 在node.js上使用解析时,为什么需要使用“ JavaScript键”? - Why do I need to use the “JavaScript key” when using parse on node.js?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM