lambda 无法访问受云端限制的 s3 存储桶
lambda cannot access to s3 bucket restricted by cloudfront
我有一个 s3 存储桶作为云端的来源。该存储桶已阻止所有 public 访问。我创建了一个下载、处理和上传 s3 对象的 lambda 函数。我为 lambda 创建了一个角色并添加了一个非 public 策略,根据亚马逊资源 public 的含义。这是策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3LambdaAccessObject",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYYY_conversor"
}
}
},
{
"Sid": "S3LambdaListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYY_conversor"
}
}
}
但是,当我尝试通过 sdk 下载和上传文件到 s3 时,我收到访问被拒绝的代码。
我什至已经将 lamnda 添加到 s3 策略中,但仍然没有结果:
{
"Version": "2012-10-17",
"Id": "aws_iam_policy_document_origin",
"Statement": [
{
"Sid": "S3GetObjectForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*"
},
{
"Sid": "S3ListBucketForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin"
},
{
"Sid": "S3PutObjectForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": [
"s3:PutObjectVersionAcl",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/private/*"
},
{
"Sid": "S3LambdaAccessObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
}
}
},
{
"Sid": "S3LambdaListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
}
}
}
]
}
]
}
如果删除 public 访问阻止,lambda 工作正常。我做错了什么?
Lambda 函数 Arn 的白名单将不起作用,因为 Lambda 函数使用其 Lambda 角色进行连接以执行任何这些交互。
相反,您需要 whitelist the IAM role 您的 Lambda 已附加到它。这是通过使用 IAM 角色 Arn 的委托人完成的。
您仍然需要确保 IAM 角色包含额外访问 S3 所需的权限。
问题是我正在测试的代码尝试使用 public ACL 策略上传文件,但 s3 拒绝了,所有 public 访问被阻止。阻止还阻止任何帐户或服务更新此存储桶或对象的非 public 策略:https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
我有一个 s3 存储桶作为云端的来源。该存储桶已阻止所有 public 访问。我创建了一个下载、处理和上传 s3 对象的 lambda 函数。我为 lambda 创建了一个角色并添加了一个非 public 策略,根据亚马逊资源 public 的含义。这是策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3LambdaAccessObject",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYYY_conversor"
}
}
},
{
"Sid": "S3LambdaListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYY_conversor"
}
}
}
但是,当我尝试通过 sdk 下载和上传文件到 s3 时,我收到访问被拒绝的代码。 我什至已经将 lamnda 添加到 s3 策略中,但仍然没有结果:
{
"Version": "2012-10-17",
"Id": "aws_iam_policy_document_origin",
"Statement": [
{
"Sid": "S3GetObjectForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*"
},
{
"Sid": "S3ListBucketForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin"
},
{
"Sid": "S3PutObjectForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": [
"s3:PutObjectVersionAcl",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/private/*"
},
{
"Sid": "S3LambdaAccessObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
}
}
},
{
"Sid": "S3LambdaListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
}
}
}
]
}
]
}
如果删除 public 访问阻止,lambda 工作正常。我做错了什么?
Lambda 函数 Arn 的白名单将不起作用,因为 Lambda 函数使用其 Lambda 角色进行连接以执行任何这些交互。
相反,您需要 whitelist the IAM role 您的 Lambda 已附加到它。这是通过使用 IAM 角色 Arn 的委托人完成的。
您仍然需要确保 IAM 角色包含额外访问 S3 所需的权限。
问题是我正在测试的代码尝试使用 public ACL 策略上传文件,但 s3 拒绝了,所有 public 访问被阻止。阻止还阻止任何帐户或服务更新此存储桶或对象的非 public 策略:https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html