![](/img/trans.png)
[英]Access is denied even if IAM user is specified in S3 bucket policy
[英]Permission denied for IAM policy to S3 bucket
我正在尝试通过Amazon S3,AWS Lambda和Amazon API Gateway即时使用Resize Images来设置调整大小的图像lambda 。 AWS计算博客 。
但是,IAM策略不起作用。 它无权访问S3存储桶。
我在IAM策略模拟器(测试S3 PutObject)中对其进行了测试,并显示了Implicitly denied (not matching statements)
。
我根据授予对Amazon S3存储桶的Lambda执行角色访问权限来编辑策略,但是它给了我同样的错误。
这是我的存储桶策略(已将其更改为以下角色而不是root,但仍通过IAM Policy Stimulator拒绝了):
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucketname/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my-account-number>::role/<my-role-name>"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname",
"arn:aws:s3:::mybucketname/*"
]
}
]
}
这是我的IAM角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname/*",
"arn:aws:s3:::mybucketname"
]
}
]
}
这是我的S3重定向规则:
<RoutingRules>
<RoutingRule>
<Condition>
<KeyPrefixEquals/>
<HttpErrorCodeReturnedEquals>404</HttpErrorCodeReturnedEquals>
</Condition>
<Redirect>
<Protocol>https</Protocol>
<HostName>MYAPIENDPOINT.eu-west-1.amazonaws.com</HostName>
<ReplaceKeyPrefixWith>default/resize?key=</ReplaceKeyPrefixWith>
<HttpRedirectCode>307</HttpRedirectCode>
</Redirect>
</RoutingRule>
</RoutingRules>
您确定Lambda函数以root用户身份运行吗? (我什至不知道这是否可行,但您可能不想这样做)
您可以使用以下命令找出Lambda函数的角色:
aws lambda get-function-configuration --function-name YOUR_FUNCTION_NAME | grep Role
您看到的值是您在存储桶策略中应使用的值:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my-account-number>:role/service-role/foo-bar-baz"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname",
"arn:aws:s3:::mybucketname/*"
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.