[英]Deploy Lambda with code source from another accounts s3 bucket
I store my Lambda zip files in an S3 bucket in Account A. In Account BI have my Lambda. I am trying to have my Lambda use the zip file in Account A's bucket but I keep getting:我将我的 Lambda zip 文件存储在帐户 A 的 S3 存储桶中。在帐户 BI 中有我的 Lambda。我试图让我的 Lambda 使用帐户 A 存储桶中的 zip 文件,但我不断收到:
Your access has been denied by S3, please make sure your request credentials have permission to GetObject for bucket/code.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied
I have followed guides I have found online but I am still facing issues.我已经按照我在网上找到的指南进行操作,但我仍然面临问题。 Here is my current config:这是我当前的配置:
Account A's S3 Bucket Policy:账户 A 的 S3 存储桶策略:
{
"Version": "2012-10-17",
"Id": "ExamplePolicy",
"Statement": [
{
"Sid": "ExampleStmt",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountBID:role/MyLambdaRole"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
]
}
]
}
Account B's Lambda Execution Role Policy:账户 B 的 Lambda 执行角色策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket/*",
"arn:aws:s3:::bucket"
]
}
]
}
The principal in your bucket policy is the role that AWS Lambda uses during execution, which is not used when deploying your function. You could easily just allow the entire B account principal in the bucket policy and then use IAM policies in account B to allow access to the bucket that way.存储桶策略中的主体是 AWS Lambda 在执行期间使用的角色,在部署 function 时不使用该角色。您可以轻松地只允许存储桶策略中的整个 B 帐户主体,然后使用帐户 B 中的 IAM 策略以允许访问以这种方式到水桶。
A bucket policy allowing an entire account looks like this:允许整个帐户的存储桶策略如下所示:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "ProductAccountAccess",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXX-account-number:root"
]
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
]
}
]
}
This means that the IAM policies in account B depend on how you do your deployment.这意味着账户 B 中的 IAM 策略取决于您的部署方式。 Meaning that whatever credentials are used for the deployment need to have S3 permissions for that bucket.这意味着无论用于部署的凭据都需要具有该存储桶的 S3 权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.