从 s3 获取 object 时,在 lambda 中获取“AccessDenied: Access Denied”
[英]Getting "AccessDenied: Access Denied" inside lambda when getting an object from s3
问题描述
Update 2
更新 2
I've tried changing our custom policy to allow access to the particular bucket that's giving the AccessDenied error, without any luck.我已经尝试更改我们的自定义策略以允许访问出现AccessDenied错误的特定存储桶,但没有任何运气。 Imagine that bucket1 is a bucket that the lambda normally accesses, and bucket2 is the bucket that's throwing AccessDenied when the lambda accesses it.假设bucket1是lambda正常访问的bucket, bucket2是lambda访问时抛出AccessDenied的bucket。 I've changed the Resource block from我已经将Resource块从
{
...
{
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::us-east-1-bucket1/*",
"Effect": "Allow"
}
...
to到
{
...
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::us-east-1-bucket1/*",
"arn:aws:s3:::us-east-1-bucket2/*"
],
"Effect": "Allow"
}
...
I'm still getting the AccessDenied error.我仍然收到AccessDenied错误。
Update更新
Per @Caldazar's comment about IAM users vs roles, the lambda's execution role has 3 policies:根据@Caldazar 关于 IAM 用户与角色的评论,lambda 的执行角色有 3 个策略:
- the AWS managed
arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess, specifically:AWS 管理的arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess,特别是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
"xray:GetSamplingRules",
"xray:GetSamplingTargets",
"xray:GetSamplingStatisticSummaries"
],
"Resource": [
"*"
]
}
]
}
- the AWS managed
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole, specifically:AWS 管理的arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole,特别是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
- our custom policy, specifically:我们的定制政策,特别是:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:us-east-1:*:log-group:/aws/lambda/*:*:*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::us-east-1-bucket1/*",
"Effect": "Allow"
}
]
}
In lambda@edge I have an origin-response response lambda that is trying to pull an object out of s3 to be used as the response.在 lambda@edge 中,我有一个origin-response响应 lambda,它试图从 s3 中提取一个 object 用作响应。 However I'm getting this AccessDenied error when I try to list the contents of the bucket using a particular prefix.但是,当我尝试使用特定前缀列出存储桶的内容时,出现了这个AccessDenied错误。 This is my code:这是我的代码:
const getVidS3 = (s3, bucketName, fileName) =>
new Promise((res, rej) => {
const start = Date.now();
s3.listObjects(
{
Bucket: bucketName,
Delimiter: '/',
Prefix: `${fileName}/`,
MaxKeys: 1,
},
function (err, data) {
console.log(
'================ milliseconds to list objects:',
Date.now() - start
);
if (err) return rej(err);
if (!Array.isArray(data.Contents) || data.Contents.length < 1) {
return rej('original raw video not found');
}
console.log('============= s3 objects:', data);
const rawVidFileKey = data.Contents[0].Key;
s3.getObject(
{
Bucket: bucketName,
Key: rawVidFileKey,
},
(err, data) => {
console.log(
'================ milliseconds to get video object:',
Date.now() - start
);
if (err) {
return rej(err);
}
const contentType = data.ContentType;
const video = data.Body;
console.log('=============== S3 video data', data);
return res({ video, contentType });
}
);
}
);
});
The error is from listObjects .错误来自listObjects 。 I've gone over this set of suggestions but I'm not sure I took the right steps because I used the IAM user that I use to access the dashboard, which may have higher permissions than the one the lambda uses.我已经阅读了这组建议,但我不确定我是否采取了正确的步骤,因为我使用了我用来访问仪表板的 IAM 用户,它可能比 lambda 使用的用户具有更高的权限。 More so, I recreated this getVidS3 function locally using my admin credentials and it works, so I think I need help determining how to give the lambda the appropriate permissions.更重要的是,我使用我的管理员凭据在本地重新创建了这个getVidS3 function 并且它有效,所以我想我需要帮助来确定如何为 lambda 提供适当的权限。 I didn't create the system and I'm not very proficient with aws, so bear with me if this feels incomplete.我没有创建系统,我也不是很精通 aws,所以如果感觉不完整,请耐心等待。 What/where else can I check to see why this is happening?我还可以检查什么/其他地方以了解为什么会发生这种情况? Thanks in advance.提前致谢。
1 个解决方案
解决方案1
2 已采纳 2022-02-11 14:00:14
The problem is in your policy.问题出在你的政策上。 The policy allows GET of the objects, but not List .该策略允许GET对象,但不允许List 。 You're missing the ListBucket action on the bucket itself.您缺少对存储桶本身的ListBucket操作。
You need to change this:你需要改变这个:
{
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::us-east-1-bucket1/*",
"Effect": "Allow"
}
To this:对此:
{
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::us-east-1-bucket1/*",
"arn:aws:s3:::us-east-1-bucket1"
]
"Effect": "Allow"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.