[英]Lambda / Pre-signed url access denied
I wrote a lambda function who return a pre-signed url for documents in S3 Buckets.我写了一个 lambda function,它为 S3 存储桶中的文档返回了一个预签名的 url。
The code is really simple:代码非常简单:
const url = s3.getSignedUrl('getObject', {
Bucket: BUCKET_NAME,
Key: myFile.Key,
Expires: 20
})
const response = {
statusCode: 200,
headers: {
"Access-Control-Allow-Origin": "*"
},
body: JSON.stringify({
"url": url
}),
};
The funny thing is when I call this function locally (with serverless framework) like this:有趣的是,当我在本地(使用无服务器框架)调用这个 function 时,如下所示:
sls invoke local -f getEconomyFile -d '{ "queryStringParameters": { "key": "myfile.pdf" } }'
It's working.它的工作。 I have a url which give me the file.
我有一个 url 给我文件。
But when I deploy to AWS Lambda, the function return a URL which always says "access denied" on the file:但是当我部署到 AWS Lambda 时,function 返回一个 URL,它总是在文件上显示“访问被拒绝”:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>93778EA364B3506B</RequestId>
<HostId>
yqnPC0SeIVE3/Pl7/d+xHDJ78=
</HostId>
</Error>
Why is it working locally and not deployed?为什么它在本地工作而不是部署?
Thank you !谢谢 !
Here's a list of things to check when pre-signed URLs do not work:以下是预签名 URL 不起作用时要检查的事项列表:
** you can tell this is a local computation and does not involve any calls into AWS by pre-signing an object such as s3://notmybucket/fred. ** 您可以通过预先签署一个对象(例如 s3://notmybucket/fred)来判断这是一个本地计算,并且不涉及对 AWS 的任何调用。 That will work and generate a pre-signed URL, but it will not actually be usable to retrieve that object.
这将起作用并生成一个预先签名的 URL,但它实际上不能用于检索该对象。
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-full-control-acl/ https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-full-control-acl/
As access to a bucket is given to other accounts, if they put an object in the bucket, the account owner doesn't get automatic access to those put files.由于其他帐户可以访问存储桶,因此如果他们将 object 放入存储桶中,则帐户所有者不会自动访问这些放置文件。 To fix this you need to add this to your commands:
要解决此问题,您需要将其添加到您的命令中:
--acl bucket-owner-full-control
Such as如
aws s3api put-object --bucket accountB-bucket --key example.txt --acl bucket-owner-full-control
or或者
aws s3 cp s3://accountA-bucket/test.txt s3://accountB-bucket/test2.txt --acl bucket-owner-full-control
Otherwise you leave the ACL for the object hyper specific to the other account and user that pushed the file.否则,您将 object hyper 的 ACL 留给推送该文件的其他帐户和用户。
Hope that helps.希望有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.