如何解决设置ACL字段时,AWS Lambda s3.putObject引发访问被拒绝
更新:找到了答案,谢谢。
我正在设置一个lambda,它会定期获取一些数据,进行一些处理并将文件保存到s3。
这是功能:
exports.handler = async function(event,context) {
const data = await fetchXlsx();
const uploaded = s3.putObject({
Bucket: 'my-bucket',Key: 'current.json',ACL: 'public-read',// Works fine without this line
ContentType: 'application/json',Body: JSON.stringify(data)
}).promise()
return uploaded
}
这是执行角色附带的策略:
{
"Version": "2012-10-17","Statement": [
{
"Sid": "VisualEditor0","Effect": "Allow","Action": [
"s3:PutObject","s3:GetObject","s3:PutObjectAcl"
],"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
如果我注释掉ACL
属性,但是上面的代码可以正常工作,但是该文件不是公开的,因此我需要这样。
按原样运行代码,它会拒绝访问:
{
"errorType": "AccessDenied","errorMessage": "Access Denied","trace": [
"AccessDenied: Access Denied"," at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:831:35)"," at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)"," at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)"," at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)"," at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)"," at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)"," at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10"," at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)"," at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)"," at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
]
}
我尝试了多种设置策略的方法,包括尝试使其尽可能地被允许:
{
"Version": "2012-10-17","Action": [
"s3:*"
],"Resource": "*"
}
]
}
但这没用。
在存储桶方面,除了将Block all public access
设置为 off 之外,我没有发现其他任何麻烦的设置,但这也无济于事。
TLDR;我可以将文件从Lambda上传到S3,但是如何将其公开?
解决方法
找到答案:
在存储桶方面,除了将“禁止所有公共访问”设置为“关闭”之外,我没有发现其他设置有任何麻烦之处。
我需要在 帐户和存储桶设置中都取消阻止公共访问。
这是目前两者的设置方式:
Block all public access
Off
Block public access to buckets and objects granted through new access control lists (ACLs)
Off
Block public access to buckets and objects granted through any access control lists (ACLs)
Off
Block public access to buckets and objects granted through new public bucket or access point policies
On
Block public and cross-account access to buckets and objects through any public bucket or access point policies
On
这符合原始策略(问题中的第二个代码块)的作用。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。