![](/img/trans.png)
[英]Access is denied even if IAM user is specified in S3 bucket policy
[英]Permission denied for IAM policy to S3 bucket
我正在嘗試通過Amazon S3,AWS Lambda和Amazon API Gateway即時使用Resize Images來設置調整大小的圖像lambda 。 AWS計算博客 。
但是,IAM策略不起作用。 它無權訪問S3存儲桶。
我在IAM策略模擬器(測試S3 PutObject)中對其進行了測試,並顯示了Implicitly denied (not matching statements)
。
我根據授予對Amazon S3存儲桶的Lambda執行角色訪問權限來編輯策略,但是它給了我同樣的錯誤。
這是我的存儲桶策略(已將其更改為以下角色而不是root,但仍通過IAM Policy Stimulator拒絕了):
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucketname/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my-account-number>::role/<my-role-name>"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname",
"arn:aws:s3:::mybucketname/*"
]
}
]
}
這是我的IAM角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname/*",
"arn:aws:s3:::mybucketname"
]
}
]
}
這是我的S3重定向規則:
<RoutingRules>
<RoutingRule>
<Condition>
<KeyPrefixEquals/>
<HttpErrorCodeReturnedEquals>404</HttpErrorCodeReturnedEquals>
</Condition>
<Redirect>
<Protocol>https</Protocol>
<HostName>MYAPIENDPOINT.eu-west-1.amazonaws.com</HostName>
<ReplaceKeyPrefixWith>default/resize?key=</ReplaceKeyPrefixWith>
<HttpRedirectCode>307</HttpRedirectCode>
</Redirect>
</RoutingRule>
</RoutingRules>
您確定Lambda函數以root用戶身份運行嗎? (我什至不知道這是否可行,但您可能不想這樣做)
您可以使用以下命令找出Lambda函數的角色:
aws lambda get-function-configuration --function-name YOUR_FUNCTION_NAME | grep Role
您看到的值是您在存儲桶策略中應使用的值:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my-account-number>:role/service-role/foo-bar-baz"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname",
"arn:aws:s3:::mybucketname/*"
]
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.