更新:找到答案,谢谢。
我正在设置一个 lambda,它会定期获取一些数据,进行一些处理并将文件保存到 s3。
这是功能:
exports.handler = async function(event, context) {
const data = await fetchXlsx();
const uploaded = s3.putObject({
Bucket: 'my-bucket',
Key: 'current.json',
ACL: 'public-read', // Works fine without this line
ContentType: 'application/json',
Body: JSON.stringify(data)
}).promise()
return uploaded
}
这是附加到执行角色的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
如果我注释掉该ACL
属性,上面的代码可以正常工作,但是文件不是公开的,我需要它是公开的。
按原样运行代码,它会抛出拒绝访问:
{
"errorType": "AccessDenied",
"errorMessage": "Access Denied",
"trace": [
"AccessDenied: Access Denied",
" at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:831:35)",
" at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)",
" at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)",
" at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)",
" at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
" at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
" at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
" at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
" at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)",
" at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
]
}
我尝试以许多不同的方式设置策略,包括尝试使其尽可能允许:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*"
}
]
}
但这没有用。
在存储桶方面,除了设置Block all public access
为关闭之外,我还没有发现任何可以搞乱的设置,但这也无济于事。
TLDR;我可以将文件从 Lambda 上传到 S3,但如何将其公开?