使用带有 boto3 的访问点从/向 S3 存储桶读取和写入
[英]Read and write from/to S3 bucket using access points with boto3
问题描述
I have to access S3 bucket using access points with boto3 .
我必须使用带有boto3的访问点访问 S3 存储桶。
I have created an access point with a policy to allow reading and writing ( <access_point_arn> is my access point ARN ):我创建了一个访问点,该访问点具有允许读写的策略( <access_point_arn>是我的访问点ARN ):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "<access_point_arn>/object/*"
]
}
In the official documentation there is a mention about access points, where access point ARN has to come in place of bucket name ( https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html ).在官方文档中提到了访问点,其中访问点ARN必须代替存储桶名称( https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html ). There are no examples on the official documentation site for developers ( https://docs.aws.amazon.com/AmazonS3/latest/dev/using-access-points.html ).开发人员的官方文档站点 ( https://docs.aws.amazon.com/AmazonS3/latest/dev/using-access-points.html ) 上没有示例。
So based on the information I assume that the right way to use it is:因此,根据这些信息,我认为正确的使用方法是:
import boto3
s3 = boto3.resource('s3')
s3.Bucket('<access_point_arn>').download_file('hello.txt', '/tmp/hello.txt')
When I execute this code in Lambda with AmazonS3FullAccess managed policy attached I am getting an ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden当我在附加了AmazonS3FullAccess托管策略的 Lambda 中执行此代码时,我收到ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden
Both Lambda and S3 access point are connected to the same VPC. Lambda 和 S3 访问点都连接到同一个 VPC。
2 个解决方案
解决方案1
2 已采纳 2020-07-08 16:45:13
My first guess is that you are missing permissions that have to be defined (1) on the bucket (bucket policy) and (2) on the IAM user or role which you are using in the boto3 SDK.我的第一个猜测是您缺少必须在 (1) 存储桶(存储桶策略)和 (2) 您在 boto3 SDK 中使用的 IAM 用户或角色上定义的权限。
(1) From the documentation I can see that (1) 从文档中我可以看到
For an application or user to be able to access objects through an access point, both the access point and the underlying bucket must permit the request .对于能够通过访问点访问对象的应用程序或用户,访问点和底层存储桶都必须允许请求。
You could, for instance, add a bucket policy that is delegating access control to access points so that you don't have to specify each principal that comes via the access points.例如,您可以添加一个将访问控制委托给访问点的存储桶策略,这样您就不必指定通过访问点来的每个主体。 An example is given in the linked docs.链接文档中给出了一个示例。
(2) As stated in your question, you are already using AmazonS3FullAccess policy in your LambdaExecutionRole. (2) 如您的问题所述,您已经在 LambdaExecutionRole 中使用 AmazonS3FullAccess 策略。 My only guess (ie what happened to me) is that there is, eg, KMS encryption on the objects in your bucket and your role is missing permissions for kms actions.我唯一的猜测(即发生在我身上的事情)是,例如,您的存储桶中的对象有 KMS 加密,并且您的角色缺少 kms 操作的权限。 Try executing the function with Admin policy attached and see if it works.尝试在附加管理策略的情况下执行 function,看看它是否有效。 If it does, find out which specific permissions are missing.如果是,找出缺少哪些特定权限。
Some further notes: I assume you一些进一步的注意事项:我假设你
- didn't restrict the access point to be available within a specific VPC only.没有将访问点限制为仅在特定 VPC 内可用。
- are blocking public access.正在阻止公共访问。
解决方案2
0 2020-05-29 19:28:05
replace...代替...
"Resource": "arn:aws:s3:region_name:<12-digit account_id>:bucket_name" “资源”:“arn:aws:s3:region_name:<12 位 account_id>:bucket_name”
s3.Bucket('bucket_name').download_file('hello.txt', '/tmp/hello.txt') s3.Bucket('bucket_name').download_file('hello.txt', '/tmp/hello.txt')
Hope it helps...希望能帮助到你...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.