我正在使用 boto3 为 s3 创建一个预先签名的帖子 url。
s3 = boto3.client('s3')
post = s3.generate_presigned_post(
Bucket=bucket_name,
Key=f"{userid}.{suffix}"
)
aws_access_key_id使用的是不正确的,使用正确的方法之一是通过环境变量添加环境变量。知道如何使用我在 IAM 中创建的用户定义的 aws 访问 key 来强制执行吗?
更新 1
附加到执行 lambda 的 IAM 角色的策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ResetNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"kinesis:*"
],
"Resource": "arn:aws:kinesis:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": "arn:aws:sqs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "arn:aws:dynamodb:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"route53:*"
],
"Resource": "*"
}
]
}
更新 2
在 IAM 中的角色
Lambda 配置中的角色配置
最佳答案
您不应将 IAM 用户用于 lambda 中的任何类型的执行权限。相反,使用附加了适当策略的 IAM 角色和 attach that role to your Lambda function .
另请注意,一旦配置了角色,访问 id 和 secret 将被 lambda 自动设置为环境变量,Boto 将在没有任何额外配置的情况下检索它们。
关于amazon-web-services - aws lambda 环境中的 aws_access_key_id,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47636528/