使用 S3 上传功能拒绝访问

tag-icon tag-icon amazon-s3 amazon-iam
使用 S3 上传功能拒绝访问

我有一个具有以下策略的 lambda 函数

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*"
            ],
            "Effect": "Allow"
        }
    ]
}

我调用时listObjectsV2没有问题,但是当我想调用upload方法时ERROR AccessDenied: Access Denied

这是我的代码

const addImage = (name, image) => {
    name = `${Image.getPrefix()}/${name}.${crypto.randomBytes(3).toString('hex')}.${image.originalname.split('.').pop()}`;

    return s3.upload({
        Bucket: process.env.S3_BUCKET_IMAGE,
        ACL: 'public-read',
        Body: image.buffer,
        Key: name
    }).promise()
    .then(result => new Image(result))
}

答案1

我找到了解决方案

使用 lambda 你还必须在 bucket 上添加一个策略

https://aws.amazon.com/fr/premiumsupport/knowledge-center/access-denied-lambda-s3-bucket/

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountA:role/AccountARole"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::AccountBBucketName/*"
            ]
        }
    ]
}

相关内容