AWS Lambda:Lambda 函数 S3 到 S3 复制的跨账户策略
[英]AWS Lambda : Cross account Policy for Lambda function S3 to S3 copy
问题描述
we are trying to implement the lambda function which will copy the object from one S3 to another S3 bucket in cross account based on the source S3 bucket events.
我们正在尝试实现 lambda 函数,该函数将根据源 S3 存储桶事件将对象从一个 S3 复制到跨账户中的另一个 S3 存储桶。 Currently we are able to copy the file between source and target within same SAG .目前我们能够在同一个 SAG 内的源和目标之间复制文件。 But when we tried to implement the same logic with cross account , getting the CopyObject operation: Access Denied issue .但是当我们尝试用跨账户实现相同的逻辑时,得到 CopyObject 操作:拒绝访问问题。 I have given following bucket policy.我给出了以下存储桶策略。 Can you please help me to get the correct IAM and bucket policy to resolve this issue .你能帮我获取正确的 IAM 和存储桶策略来解决这个问题吗?
{
"Version": "2012-10-17",
"Id": "Policy1603404813917",
"Statement": [
{
"Sid": "Stmt1603404812651",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::6888889898:role/Staff"
},
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::source-bucktet-testing-lambda/*",
"arn:aws:s3:::source-bucktet-testing-lambda"
]
}
]
}
based on the https://www.lixu.ca/2016/09/aws-lambda-and-s3-how-to-do-cross_83.html link , Yes, we can implement the same logic with help of access ID and access secret keys for source and dest.基于https://www.lixu.ca/2016/09/aws-lambda-and-s3-how-to-do-cross_83.html链接,是的,我们可以借助访问 ID 和访问源和目标的密钥。 But am trying to implement same logic instead of access ID and access secret keys for source and dest, granting access for both source and target buckets with appropriate policy and make it work as like same account .但是我试图实现相同的逻辑,而不是源和目标的访问 ID 和访问密钥,使用适当的策略授予源和目标存储桶的访问权限,并使其像相同的帐户一样工作。
2 个解决方案
解决方案1
0 2020-10-23 03:04:52
To reproduce your situation, I did the following:为了重现您的情况,我执行了以下操作:
- In Account-A :在账户 A 中:
- Created an Amazon S3 bucket (
Bucket-A)创建了一个Amazon S3 存储桶( Bucket-A) - Created an IAM Role (
Role-A)创建了一个IAM 角色( Role-A) - Created an AWS Lambda function (
Lambda-A) and assignedRole-Ato the function创建了一个AWS Lambda 函数( Lambda-A) 并为该函数分配了Role-A - Configured an Amazon S3 Event on
Bucket-Ato triggerLambda-Afor "All object create events"在Bucket-A上配置了一个Amazon S3 事件以触发Lambda-A的“所有对象创建事件”
- Created an Amazon S3 bucket (
- In Account-B :在帐户 B 中:
- Created an Amazon S3 bucket (
Bucket-B) with a bucket policy (see below)使用存储桶策略创建了一个Amazon S3 存储桶( Bucket-B)(见下文)
- Created an Amazon S3 bucket (
IAM Role IAM 角色
Role-A has the AWSLambdaBasicExecutionRole managed policy, and also this Inline Policy that assigns the Lambda function permission to read from Bucket-A and write to Bucket-B : Role-A具有AWSLambdaBasicExecutionRole托管策略,以及分配 Lambda 函数从Bucket-A读取和写入Bucket-B权限的内联策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-a/*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::bucket-b/*"
}
]
}
Bucket Policy on destination bucket目标存储桶的存储桶策略
The Bucket Policy on Bucket-B permits access from the Role-A IAM Policy: Bucket-B上的 Bucket 策略允许从Role-A IAM 策略进行访问:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A:role/role-a"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::bucket-b/*"
}
]
}
Lambda Function Lambda 函数
Lambda-A is triggered when an object is created in Bucket-A , and copies it to Bucket-B :当在Bucket-A创建对象时触发Lambda-A ,并将其复制到Bucket-B :
import boto3
import urllib
TARGET_BUCKET = 'bucket-b'
def lambda_handler(event, context):
# Get incoming bucket and key
source_bucket = event['Records'][0]['s3']['bucket']['name']
source_key = urllib.parse.unquote_plus(event['Records'][0]['s3']['object']['key'])
# Copy object to different bucket
s3_resource = boto3.resource('s3')
copy_source = {
'Bucket': source_bucket,
'Key': source_key
}
target_key = source_key # Change if desired
s3_resource.Bucket(TARGET_BUCKET).Object(target_key).copy(copy_source, ExtraArgs={'ACL': 'bucket-owner-full-control'})
I grant ACL=bucket-owner-full-control because copying objects to buckets owned by different accounts can sometimes cause the objects to still be 'owned' by the original account.我授予ACL=bucket-owner-full-control因为将对象复制到不同帐户拥有的存储桶有时会导致对象仍然由原始帐户“拥有”。 Using this ACL grants ownership to the account that owns the destination bucket.使用此 ACL 将所有权授予拥有目标存储桶的账户。
Testing测试
I uploaded a file to Bucket-A in Account-A .我上传了一个文件到Account-A Bucket-A Account-A 。
The file was correctly copied to Bucket-B in Account-B .该文件已正确复制到Account-B Bucket-B Account-B 。
Comments注释
The solution does NOT require:该解决方案不要求:
- A bucket policy on
Bucket-A, sinceRole-Agrants the necessary permissionsBucket-A上的Bucket-A桶策略,因为Role-A授予必要的权限 - Turning off S3 Block Public Access , since the permissions assigned do not grant 'public' access关闭S3 阻止公共访问,因为分配的权限不授予“公共”访问权限
解决方案2
0 2020-10-23 04:19:43
Assuming the following假设以下
- Above mentioned policy is for the source bucket上面提到的策略是针对源存储桶的
- 6888889898 is the Destination AWS account 6888889898 是目标 AWS 账户
- Lambda for copying the file is located in the destination AWS account and has Staff role attached to it.用于复制文件的 Lambda 位于目标 AWS 账户中,并且附加了 Staff 角色。
Even after setting all these correctly, the copy operation may fail.即使正确设置了所有这些,复制操作也可能会失败。 This is because the Policy allows you to get/put s3 objects, but not the tags associated with those s3 objects.这是因为该策略允许您获取/放置 s3 对象,但不允许获取/放置与这些 s3 对象关联的标签。
You will need to ALLOW the following actions as well "s3:GetObjectTagging" and "s3:PutObjectTagging"您将需要允许以下操作以及“s3:GetObjectTagging”和“s3:PutObjectTagging”
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.