这让我抓狂。我有一个 Lambda 函数。它有一个附加到其服务角色的策略(我们称之为
lambda-func-service-role
),允许上传到存储桶:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::mybucket/sub/path/*",
"Effect": "Allow"
}
]
}
当我尝试从 lambda 函数内上传文件时,出现以下错误:
S3UploadFailedError: Failed to upload /tmp/image_cropped.png to bucket/sub/path/view.png: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
Traceback
执行上传的代码是:
s3_client = boto3.client(
"s3"
)
s3_client.upload_file(filename, bucket, object_name)
...但是...如果我设置了 Jupyter 笔记本并承担 lambda 函数的角色,我就可以很好地上传文件:
client = boto3.client('sts',
aws_access_key_id=...,
aws_secret_access_key=...
)
role = client.assume_role(
RoleArn='arn:aws:iam::12345678:role/lambda-func-service-role',
RoleSessionName='notebook'
)
s3 = boto3.client('s3',
aws_access_key_id=role['Credentials']['AccessKeyId'],
aws_secret_access_key=role['Credentials']['SecretAccessKey'],
aws_session_token=role['Credentials']['SessionToken'])
s3.upload_file(filename, bucket, object_name)
知道我可能做错了什么吗?
为了让 Lambda 正确承担您的执行角色,该角色的信任策略必须将 Lambda 服务主体 (
lambda.amazonaws.com
) 指定为可信服务。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}