[英]Getting "AccessDenied: Access Denied" inside lambda when getting an object from s3
I've tried changing our custom policy to allow access to the particular bucket that's giving the AccessDenied
error, without any luck.我已经尝试更改我们的自定义策略以允许访问出现
AccessDenied
错误的特定存储桶,但没有任何运气。 Imagine that bucket1
is a bucket that the lambda normally accesses, and bucket2
is the bucket that's throwing AccessDenied
when the lambda accesses it.假设
bucket1
是lambda正常访问的bucket, bucket2
是lambda访问时抛出AccessDenied
的bucket。 I've changed the Resource
block from我已经将
Resource
块从
{
...
{
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::us-east-1-bucket1/*",
"Effect": "Allow"
}
...
to到
{
...
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::us-east-1-bucket1/*",
"arn:aws:s3:::us-east-1-bucket2/*"
],
"Effect": "Allow"
}
...
I'm still getting the AccessDenied
error.我仍然收到
AccessDenied
错误。
Per @Caldazar's comment about IAM users vs roles, the lambda's execution role has 3 policies:根据@Caldazar 关于 IAM 用户与角色的评论,lambda 的执行角色有 3 个策略:
arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
, specifically: arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
,特别是:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
"xray:GetSamplingRules",
"xray:GetSamplingTargets",
"xray:GetSamplingStatisticSummaries"
],
"Resource": [
"*"
]
}
]
}
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
, specifically: arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
,特别是:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:us-east-1:*:log-group:/aws/lambda/*:*:*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::us-east-1-bucket1/*",
"Effect": "Allow"
}
]
}
In lambda@edge I have an origin-response
response lambda that is trying to pull an object out of s3 to be used as the response.在 lambda@edge 中,我有一个
origin-response
响应 lambda,它试图从 s3 中提取一个 object 用作响应。 However I'm getting this AccessDenied
error when I try to list the contents of the bucket using a particular prefix.但是,当我尝试使用特定前缀列出存储桶的内容时,出现了这个
AccessDenied
错误。 This is my code:这是我的代码:
const getVidS3 = (s3, bucketName, fileName) =>
new Promise((res, rej) => {
const start = Date.now();
s3.listObjects(
{
Bucket: bucketName,
Delimiter: '/',
Prefix: `${fileName}/`,
MaxKeys: 1,
},
function (err, data) {
console.log(
'================ milliseconds to list objects:',
Date.now() - start
);
if (err) return rej(err);
if (!Array.isArray(data.Contents) || data.Contents.length < 1) {
return rej('original raw video not found');
}
console.log('============= s3 objects:', data);
const rawVidFileKey = data.Contents[0].Key;
s3.getObject(
{
Bucket: bucketName,
Key: rawVidFileKey,
},
(err, data) => {
console.log(
'================ milliseconds to get video object:',
Date.now() - start
);
if (err) {
return rej(err);
}
const contentType = data.ContentType;
const video = data.Body;
console.log('=============== S3 video data', data);
return res({ video, contentType });
}
);
}
);
});
The error is from listObjects
.错误来自
listObjects
。 I've gone over this set of suggestions but I'm not sure I took the right steps because I used the IAM user that I use to access the dashboard, which may have higher permissions than the one the lambda uses.我已经阅读了这组建议,但我不确定我是否采取了正确的步骤,因为我使用了我用来访问仪表板的 IAM 用户,它可能比 lambda 使用的用户具有更高的权限。 More so, I recreated this
getVidS3
function locally using my admin credentials and it works, so I think I need help determining how to give the lambda the appropriate permissions.更重要的是,我使用我的管理员凭据在本地重新创建了这个
getVidS3
function 并且它有效,所以我想我需要帮助来确定如何为 lambda 提供适当的权限。 I didn't create the system and I'm not very proficient with aws, so bear with me if this feels incomplete.我没有创建系统,我也不是很精通 aws,所以如果感觉不完整,请耐心等待。 What/where else can I check to see why this is happening?
我还可以检查什么/其他地方以了解为什么会发生这种情况? Thanks in advance.
提前致谢。
The problem is in your policy.问题出在你的政策上。 The policy allows
GET
of the objects, but not List
.该策略允许
GET
对象,但不允许List
。 You're missing the ListBucket
action on the bucket itself.您缺少对存储桶本身的
ListBucket
操作。
You need to change this:你需要改变这个:
{
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::us-east-1-bucket1/*",
"Effect": "Allow"
}
To this:对此:
{
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::us-east-1-bucket1/*",
"arn:aws:s3:::us-east-1-bucket1"
]
"Effect": "Allow"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.