amazon-web-services - lambda 无法访问受云端限制的 s3 存储桶

Question

我有一个 s3 存储桶作为云端的来源。存储桶已阻止所有公共(public)访问。我创建了一个下载、处理和上传 s3 对象的 lambda 函数。根据亚马逊资源公共(public)的含义，我为 lambda 创建了一个角色并添加了一个非公共(public)政策。这是政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3LambdaAccessObject",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin/*",
            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYYY_conversor"
                }
            }
        },
        {
            "Sid": "S3LambdaListBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin",
            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYY_conversor"
                }
            }
        }

但是，当我尝试通过 sdk 下载文件并将其上传到 s3 时，我收到了访问被拒绝的代码。 我什至已经将 lamnda 添加到 s3 策略中，但仍然没有结果:

{
    "Version": "2012-10-17",
    "Id": "aws_iam_policy_document_origin",
    "Statement": [
        {
            "Sid": "S3GetObjectForCloudFront",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*"
        },
        {
            "Sid": "S3ListBucketForCloudFront",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::XXXXXXXXXXX-origin"
        },
        {
            "Sid": "S3PutObjectForCloudFront",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
            },
            "Action": [
                "s3:PutObjectVersionAcl",
                "s3:PutObjectAcl",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/private/*"
        },
        {
            "Sid": "S3LambdaAccessObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*Object",
            "Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*",
            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
                }
            }
        },
        {
            "Sid": "S3LambdaListBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::XXXXXXXXXXX-origin",
            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
                }
            }
        }
    ]
}
    ]
}

如果公共(public)访问阻止被移除，lambda 就可以正常工作。我做错了什么？

Answer 1

Lambda 函数 Arn 的白名单将不起作用，因为 Lambda 函数使用其 Lambda 角色进行连接以执行任何这些交互。

相反，您需要 whitelist the IAM role您的 Lambda 已附加到它。这是通过使用 IAM 角色 Arn 的委托(delegate)人完成的。

您仍然需要确保 IAM 角色包含额外访问 S3 所需的权限。