[英]terraform/aws lambda function access denied on s3
使用 terraform 測試 AWS 實例調度程序。 代碼在這里
看起來我的代碼充滿了這個錯誤:
錯誤:等待 CloudFormation 堆棧創建時出錯:未能創建 CloudFormation 堆棧,請求回滾(ROLLBACK_COMPLETE):[“以下資源未能創建:[主要]。用戶請求回滾。” “您的訪問已被 S3 拒絕,請確保您的請求憑證有權 GetObject for solutions-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip。S3 錯誤代碼: AccessDenied.S3 錯誤消息:訪問被拒絕(服務:AWSLambdaInternal;狀態代碼:403;錯誤代碼:AccessDeniedException;請求 ID:731b7c0d-cda9-4f9e-b821-efed4cbced46;代理:null)"]
以下是部分代碼: IAM policy
"InstanceSchedulerEncryptionKeyAlias": {
"Type": "AWS::KMS::Alias",
"Properties": {
"AliasName": "alias/instance-scheduler-encryption-key",
"TargetKeyId": {
"Ref": "InstanceSchedulerEncryptionKey"
}
}
},
"SchedulerPolicy": {
"Type": "AWS::IAM::Policy",
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions."
}
]
}
},
"Properties": {
"PolicyName": "SchedulerPolicy",
"Roles": [
{
"Ref": "SchedulerRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutRetentionPolicy",
"logs:*"
],
"Resource": [
{
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs:*:*:*",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group",
{
"Ref": "SchedulerLogGroup"
},
"*"
]
]
},
{
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs:*:*:*",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group:/aws/lambda/*"
]
]
}
]
},
{ "Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws-us-gov:s3:::*"
]
},
IAM 角色
"SchedulerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/"
}
},
我確信它對我在代碼中的格式感到困惑,或者我在 s3 的角色或政策中遺漏了一些東西。 在這里查找類似的問題,並將感謝任何關於我的代碼的指針。 我知道我很接近。
您在 SchedulerPolicy 中的加入有問題。 您需要刪除尾隨*:*:*
。
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs:*:*:*",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group:/aws/lambda/*"
]
]
通過上述連接,您最終將得到一個字符串arn:aws-us-gov:logs:*:*:*:us-east-1:0987654321:log-group:/aws/lambda/*
而不是預期的arn:aws-us-gov:logs:us-east-1:0987654321:log-group:/aws/lambda/*
您無權訪問此 s3 object ,因為您正在嘗試使用此問題中共享的代碼是否支持 gov-Cloud? #11
“S3Key”:“aws-instance-scheduler/v1.3.1/instance-scheduler.zip”
object 不再可用
$ curl -I https://aws-instance-scheduler.s3.amazonaws.com/v1.3.0/instance-scheduler.zip
HTTP/1.1 403 Forbidden
x-amz-request-id: 2663CDC7E74E1BE8
x-amz-id-2: GsWrKdNtOqqUdqR6wfWJ0pZGPqlhHD17rFvfCsqsQB09V+T3SGAc+V+HCTCIU8mj501Sbn4K7sA=
Content-Type: application/xml
Date: Tue, 16 Feb 2021 21:14:38 GMT
Server: AmazonS3
錯誤是一樣的。
您的訪問已被 S3 拒絕,請確保您的請求憑證有權 GetObject for solutions-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip。
如果您以某種方式獲得了代碼並上傳到存儲桶,您可以更新您的 function,如下所示:
{
..
"MyFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": BUCKETNAME,
"S3Key": "aws-instance-scheduler/v1.3.1/instance-scheduler.zip"
}
}
}
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.