使用无服务器框架创建S3存储桶出现错误:
Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied
View the full error: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A429622143498%3Astack%2Fmy-store-files-s3-serverless-dev%2Ff12946d0-ec01-11ed-9b7d-0eca31e3dbdd
我的环境:
Environment: darwin, node 18.12.1, framework 3.30.1, plugin 6.2.3, SDK 4.3.2
Credentials: Local, "default" profile
Docs: docs.serverless.com
Support: forum.serverless.com
Bugs: github.com/serverless/serverless/issues
我的
serverless.yml
代码是:
service: my-store-files-s3-serverless
frameworkVersion: '3'
provider:
name: aws
runtime: nodejs18.x
iamRoleStatements:
- Effect: Allow
Action:
- s3:PutObject
- s3:PutObjectAcl
Resource: arn:aws:s3:::my-store-files-bucket/*
functions:
api:
handler: index.handler
events:
- httpApi:
path: /
method: get
resources:
Resources:
filesBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Delete
Properties:
BucketName: my-store-files-bucket
AccessControl: Private
filesBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource: arn:aws:s3:::my-store-files-bucket/*
Principal: "*"
Bucket:
Ref: filesBucket
我使用 IAM 用户凭证管理员访问策略配置无服务器。
请问我该如何解决这个问题。
预期发生的是:在 S3 中创建存储桶
我得到的是:
Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied
Provider 中的iamRoleStatements 适用于 Lambda 函数,请参阅:函数的 IAM 权限
CloudFormation 似乎没有设置 S3 资源级策略的权限。
由于最近的一些更改,似乎我们必须添加更多行才能使其正常工作。 请参阅下面所示的工作示例。
resources:
Resources:
ImagesBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: ${self:service}-s3-${sls:stage}
# Granting public access to bucket
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: false
ImagesBucketAllowPublicReadPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ImagesBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowPublicReadAccess
Effect: Allow
Action:
- "s3:GetObject"
Resource:
- !Join ['/', [!GetAtt [ImagesBucket, Arn], '*']]
Principal: "*"
Condition:
Bool:
aws:SecureTransport: 'true'