[英]access s3 bucket from lambdaw when s3 has vpc restriction
我有一个具有VPC访问限制条件的s3存储桶
"Statement": [
{
"Sid": "Access-to-specific-VPC-only-xxxx",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xxxx",
"arn:aws:s3:::xxxx/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "xxxx"
},
"StringNotEquals": {
"aws:sourceVpc": "vpc-xxxx"
}
}
}
]
现在,我创建了一个具有完全s3访问角色的lambda函数,并且发现该函数(带有简单的boto3 get_object或download_file之类的东西)被s3拒绝了访问。 我应该在s3策略中添加什么以允许函数访问?
错误消息是
An error occurred (AccessDenied) when calling the ListObjects operation:
Access Denied: ClientError
Traceback (most recent call last)
File "/var/task/SampleFunctionTest.py", line 17, in handler\n
for obj in my_bucket.objects.all():
...
botocore.exceptions.ClientError: An error occurred (AccessDenied)
when calling the ListObjects operation: Access Denied
是否可以选择将Lambda函数放在同一VPC中? 如果是这样,我会同意的。 另外,您还需要删除NotIpAddress条件或添加Lambda函数所在子网的CIDR块。
"NotIpAddress": {
"aws:SourceIp": ["xxxx", "x-lambda-subnet-ip-range"]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.