[英]AWS CDK: Add a specific S3 resource to IAM policy
I want to create a lambda function with a Role that reads/writes to a specific S3 bucket.我想创建一个 lambda function 具有读取/写入特定 S3 存储桶的角色。 Below is the code I have written but in the AWS Console Policy, its not showing a the bucket arn instead its showing as s3:::[object Object]
Am I missing something?下面是我编写的代码,但在 AWS 控制台策略中,它没有显示存储桶 arn,而是显示为s3:::[object Object]
我错过了什么吗?
const role = new IAM.Role(this, 'MyRole', {
assumedBy: new IAM.ServicePrincipal('lambda.amazonaws.com'),
roleName: 'DefaultRoleName'
});
role.addToPolicy(new IAM.PolicyStatement({
resources: [lambda_source.bucketArn],
actions: ['s3:GetObject', 'lambda:InvokeFunction']
}));
// lambda_source.grantReadWrite(role) // I have tried this, and this is also outputs the same result.
const myLambda = new lambda.Function(this, 'MYLHandler', {
runtime: lambda.Runtime.NODEJS_12_X,
code: lambda.Code.fromBucket(lambda_source.bucketName, 'lambda.zip'),
handler: 'index.handler',
functionName: 'MyLambda',
role: role
});
Here is the output in the AWS console IAM role policy document:这是 AWS 控制台 IAM 角色策略文档中的 output:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"lambda:InvokeFunction"
],
"Resource": "arn:aws:s3:::[object Object]",
"Effect": "Allow"
}
]
}
lambda_source.bucketArn
is an object and not a string like you are expecting. lambda_source.bucketArn
是 object 而不是您期望的字符串。 Print out the object to see what it actually is and whether or not it contains a field with the ARN.打印出 object 以查看它实际上是什么以及它是否包含带有 ARN 的字段。
You could import the bucket and give the permissions:您可以导入存储桶并授予权限:
const bucket = Bucket.fromBucketAttributes(this, 'ImportedBucket', {
bucketArn: 'arn:aws:s3:::my-bucket'
});
// now you can just call methods on the bucket
bucket.grantRead(mylambda);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.