1

更新:找到答案,谢谢。

我正在设置一个 lambda,它会定期获取一些数据,进行一些处理并将文件保存到 s3。

这是功能:

exports.handler = async function(event, context) {

  const data = await fetchXlsx();

  const uploaded = s3.putObject({
    Bucket: 'my-bucket',
    Key: 'current.json',
    ACL: 'public-read', // Works fine without this line
    ContentType: 'application/json',
    Body: JSON.stringify(data)
  }).promise()
  return uploaded
}

这是附加到执行角色的策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

如果我注释掉该ACL属性,上面的代码可以正常工作,但是文件不是公开的,我需要它是公开的。

按原样运行代码,它会抛出拒绝访问:

{
  "errorType": "AccessDenied",
  "errorMessage": "Access Denied",
  "trace": [
    "AccessDenied: Access Denied",
    "    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:831:35)",
    "    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)",
    "    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)",
    "    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)",
    "    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
    "    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
    "    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
    "    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
    "    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)",
    "    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
  ]
}

我尝试以许多不同的方式设置策略,包括尝试使其尽可能允许:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "*"
        }
    ]
}

但这没有用。

在存储桶方面,除了设置Block all public access关闭之外,我还没有发现任何可以搞乱的设置,但这也无济于事。

TLDR;我可以将文件从 Lambda 上传到 S3,但如何将其公开?

4

1 回答 1

2

找到了答案:

在存储桶方面,除了将 Block all public access 设置为 off 之外,我还没有找到任何需要处理的设置,但这也无济于事。

我需要在帐户存储桶设置中取消阻止公共访问。

这是当前为两者设置的方式:

Block all public access
Off
Block public access to buckets and objects granted through new access control lists (ACLs)
Off
Block public access to buckets and objects granted through any access control lists (ACLs)
Off
Block public access to buckets and objects granted through new public bucket or access point policies
On
Block public and cross-account access to buckets and objects through any public bucket or access point policies
On

这适用于原始政策(问题中的第二个代码块)。

于 2020-09-08T07:48:13.003 回答