尝试访问上载到s3存储桶的文件时，lambda中的访问被拒绝

Question

继我在原始帖子中获得的巨大帮助之后

将文件上传到s3存储桶，触发lambda，该lambda发送一封电子邮件，其中包含有关上传到s3 buket的文件的信息

我已经测试过以前发送过的电子邮件，因此我知道它可以工作，但是当我尝试包含上传数据时，它会引发错误

Could not fetch object data:  { AccessDenied: Access Denied
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:577:35)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)

我在网上找到了很多与此角色有关的q相关问题。因此，我在s3事件中添加了lambda，并为角色添加了s3权限。

https://stackoverflow.com/questions/35589641/aws-lambda-function-getting-access-denied-when-getobject-from-s3

不幸的是，这些都没有帮助。 我注意到了一条评论

Then the best solution is to allow S3FullAccess, see if it works. If it does, then remove one set of access at a time from the policy and find the least privileges required for your Lambda to work. If it does not work even after giving S3FullAccess, then the problem is elsewhere

那么我将如何去寻找问题所在？

谢谢你

   'use strict';

console.log('Loading function');

var aws = require('aws-sdk');
var ses = new aws.SES({
   region: 'us-west-2'
});
//var fileType = require('file-type');

console.log('Loading function2');

var s3 = new aws.S3({ apiVersion: '2006-03-01', accessKeyId: process.env.ACCESS_KEY, secretAccessKey: process.env.SECRET_KEY, region: process.env.LAMBDA_REGION });

console.log('Loading function3');
//var textt = "";

exports.handler = function(event, context) {
    console.log("Incoming: ", event);

  //  textt = event.Records[0].s3.object.key;
   // var output = querystring.parse(event);

   //var testData = null;

   // Get the object from the event and show its content type
   // const bucket = event.Records[0].s3.bucket.name;
   // const key = decodeURIComponent(event.Records[0].s3.object.key.replace(/\+/g, ' '));
    const params = {
       Bucket: 'bucket',
       Key: 'key',
    };

    s3.getObject(params, function(err, objectData) {
    if (err) {
        console.log('Could not fetch object data: ', err);
    } else {
        console.log('Data was successfully fetched from object');
        var eParams = {
            Destination: {
                ToAddresses: ["fake@fake.com"]
            },
            Message: {
                Body: {
                    Text: {
                        Data: objectData
                       // Data: textt
                    }
                },
                Subject: {
                    Data: "Email Subject!!!"
                }
            },
            Source: "fake@fake.com"
        };

        console.log('===SENDING EMAIL===');

        var email = ses.sendEmail(eParams, function(err, emailResult) {
            if (err) console.log('Error while sending email', err);
            else {
                console.log("===EMAIL SENT===");
                //console.log(objectData);
                console.log("EMAIL CODE END");
                console.log('EMAIL: ', emailResult);
                context.succeed(event);
            }
        });
    }
});

};

更新我已经在代码中添加了注释并检查了日志...它没有越过这一行

var s3 = new aws.S3({ apiVersion: '2006-03-01', accessKeyId: process.env.ACCESS_KEY, secretAccessKey: process.env.SECRET_KEY, region: process.env.LAMBDA_REGION });

无论如何，这与拒绝访问有关吗？

注意：我想要的是上传文件的文件名

更新2

iv用var s3 = new aws.S3().getObject({ Bucket: this.awsBucketName, Key: 'keyName' }, function(err, data) { if (!err) console.log(data.Body.toString()); });

但这是作为TypeError: s3.getObject is not a function触发的TypeError: s3.getObject is not a function

也尝试过... var s3 = new aws.S3();

这回到了Could not fetch object data: { AccessDenied: Access Denied的原始错误Could not fetch object data: { AccessDenied: Access Denied

Answer 1

首先，区域应该是S3桶区域，而不是lambda区域。 接下来，您需要验证您的凭据，以及它们是否有权访问您定义的S3存储桶。 正如您在评论之一中所述，请尝试将S3完全访问Amazon托管策略附加到您的IAM用户，该策略与您在Lambda中使用的凭证相关联。 下一步将使用aws cli来查看是否可以访问该存储桶。 也许像-

aws s3 ls

---

上面已经说过了，您根本不应该使用凭据。 由于Lambda和S3是亚马逊服务，因此您应该使用角色。 只需赋予Lambda一个角色，使其可以完全访问S3，并且不要为此使用aws IAM凭据。 和

var s3 = new AWS.S3();

足够了。