[英]How to access cross region s3 bucket by lambda using CDK Python
I have created lambda in region A and a S3 bucket in region B, trying to access bucket from lambda boto-3 client but getting an error(access denied).Please suggest some solution for this in python CDK.我在区域 A 中创建了 lambda 并在区域 B 中创建了一个 S3 存储桶,尝试从 lambda boto-3 客户端访问存储桶但出现错误(访问被拒绝)。请在 Z23EEEB4347BDD755DZ CDKB7EE93 中为此提出一些解决方案Will I need to create any specific policy for it.
我是否需要为它创建任何特定的策略。
You have to explicitly pass the region name of the bucket if it is not in the same region as the lambda (because AWS have region specific endpoints for S3 which needs to be explicitly queried when working with s3 api).如果存储桶的区域名称与 lambda 不在同一区域,则您必须显式传递它的区域名称(因为 AWS 具有 S3 的区域特定端点,在使用 s3 api 时需要显式查询)。
Initialize your boto3 S3 client as:将您的 boto3 S3 客户端初始化为:
import boto3
client = boto3.client('s3', region_name='region_name where bucket is')
see this for full reference of boto3 client: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html#boto3.session.Session.client有关 boto3 客户端的完整参考,请参阅此内容: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html#boto3.session.Z71C4AE294B3ABDE486
---------Edited------------ you also need the following policy attached to (or inline in) the role of your lambda: ---------已编辑------------ 您还需要将以下策略附加到(或内联)您的 lambda 的角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
}
]
}
If you need to list and delete the objects too, then you need to have the following policy instead, attached to (or inline in) the role of the lambda:如果您还需要列出和删除对象,则需要将以下策略附加到(或内联)lambda 的角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt1",
"Action": [
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
},
{
"Sid": "ExampleStmt2",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME"
]
}
]
}
Your lambda function requires permissions to read S3 .您的 lambda function需要读取 S3 的权限。
The easiest way to enable that is to add AWS managed policy:启用它的最简单方法是添加 AWS 托管策略:
arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
to your lambda execution role .给你的lambda 执行角色。
Specifying region is not required, as S3 buckets have global scope.不需要指定区域,因为 S3 存储桶具有全局 scope。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.