[英]Permissions on resources defined in cloudformation
I am making a cloudformation template to create a lambda with its permissions.我正在制作一个 cloudformation 模板来创建一个 lambda 及其权限。 I need to access a specific s3 bucket and I am placing its specific arn, however when I execute the lambda it tells me that it does not have permission to access that bucket (getObject), but if I put the almost full name of the s3 arn only that I put a * at the end, if it lets me access the files in that bucket.
我需要访问特定的 s3 存储桶并放置其特定的 arn,但是当我执行 lambda 时它告诉我它没有访问该存储桶 (getObject) 的权限,但是如果我输入 s3 的几乎全名只知道我在末尾放了一个 *,如果它允许我访问该存储桶中的文件。
Bucket name: bucket-test-impl桶名:bucket-test-impl
LambdaSSMPermissions:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: allowSsmS3
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ssm:PutParameters
- ssm:PutParameter
- s3:GetObject
Resource:
- arn:aws:s3:::bucket-test-* //THIS WORKS
- arn:aws:s3:::bucket-test-impl //IT DOESN'T WORK AND IT'S THE ONE I NEED,
- !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/abcd/*/*'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
To access s3 bucket you have to provide /* at the end of path.要访问 s3 存储桶,您必须在路径末尾提供 /*。
change改变
arn:aws:s3:::bucket-test-impl
to到
arn:aws:s3:::bucket-test-impl/*
In the end I was able to remove all references with * using the reading policy that Amazon gives me.最后,我能够使用亚马逊给我的阅读政策删除所有带有 * 的引用。
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
- 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'
With this, I was able to use the direct arn of the file inside the bucket, without using *这样,我就可以直接使用存储桶内文件的 arn,而无需使用 *
Resource:
- arn:aws:s3:::bucket-test-impl
or:或者:
Resource:
- arn:aws:s3:::bucket-test-impl/fileName
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.