1. 技术文章
  2. S3 Policy to Allow Lambda

S3 Policy to Allow Lambda

久未见 提交于 2019-12-20 12:21:56

问题


I have the following policy on an S3 bucket created with the AWS policy generator to allow a lambda, running with a specific role, access to the files in the bucket. However, when I execute the Lambda, I get 403 permission denied:

"errorMessage": "Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: <requestId>)",
  "errorType": "com.amazonaws.services.s3.model.AmazonS3Exception",

The Policy on the S3 bucket:

{
"Version": "2012-10-17",
"Id": "Policy<number>",
"Statement": [
    {
        "Sid": "Stmt<number>",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::<account>:role/<roleName>"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::<bucketName>/*"
    }
]
}

What is wrong with the policy? The Lamba is running with the role configured in the policy.


回答1:


A role assigned to an AWS Lambda function should be created an an AWS Lambda role (selected when creating a Role in the IAM console).

Roles do not have a Principal since the permissions are assigned to whichever service (in this case, Lambda function) is using the role.

Also, you should assign permissions on the bucket itself (eg to list contents) and on the contents of the bucket (eg to GetObject).

It would be something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123XXX:role/service-role/LAMBDA_ROLE_NAME"
            },
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}



回答2:


After looping for I while i could make it work, the process is:

  1. create the s3 bucket.
  2. create the IAM policy (bucket name needed)
  3. Create IAM role (IAM policy needed)
  4. Create lambda Function (IAM Role needed)
  5. Create s3 bucket policy (lambda function name needed)

IAM Policy:

 {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt*******",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:PutObjectTagging",
            "s3:PutObjectVersionAcl",
            "s3:PutObjectVersionTagging"
        ],
        "Resource": [
            "arn:aws:s3:::<bucket-name>"
        ]
    }
]
}

and I use this policy on the s3 Bucket

{
"Id": "Policy************",
"Version": "2012-10-17",
"Statement": [
{
  "Sid": "Stmt********",
  "Action": [
    "s3:PutObject",
    "s3:PutObjectAcl",
    "s3:PutObjectTagging",
    "s3:PutObjectVersionAcl",
    "s3:PutObjectVersionTagging"
  ],
  "Effect": "Allow",
  "Resource": "arn:aws:s3:::<bucket-name>/*",
  "Principal": {
    "AWS": [
      "arn:aws:iam::*********:role/<lambda-function-name>"
          ]
          }
        }
     ]
}


来源:https://stackoverflow.com/questions/45282492/s3-policy-to-allow-lambda

标签
amazon-web-services
amazon-s3
aws-lambda
aws-sdk
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!