无服务器框架:CREATE_FAILED:filesBucketPolicy(AWS::S3::BucketPolicy)API:s3:PutBucketPolicy 访问被拒绝

问题描述 投票:0回答:2

使用无服务器框架创建S3存储桶出现错误:

Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied

View the full error: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A429622143498%3Astack%2Fmy-store-files-s3-serverless-dev%2Ff12946d0-ec01-11ed-9b7d-0eca31e3dbdd

我的环境:

Environment: darwin, node 18.12.1, framework 3.30.1, plugin 6.2.3, SDK 4.3.2
Credentials: Local, "default" profile
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

我的

serverless.yml
代码是:

service: my-store-files-s3-serverless
frameworkVersion: '3'

provider:
  name: aws
  runtime: nodejs18.x

  iamRoleStatements:
    - Effect: Allow
      Action:
        - s3:PutObject
        - s3:PutObjectAcl
      Resource: arn:aws:s3:::my-store-files-bucket/*


functions:
  api:
    handler: index.handler
    events:
      - httpApi:
          path: /
          method: get

resources:
  Resources:
    filesBucket:
      Type: AWS::S3::Bucket
      DeletionPolicy: Delete
      Properties:
        BucketName: my-store-files-bucket
        AccessControl: Private
    filesBucketPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        PolicyDocument:
          Statement:
            - Effect: Allow
              Action:
                - s3:GetObject
              Resource: arn:aws:s3:::my-store-files-bucket/*
              Principal: "*"
        Bucket:
          Ref: filesBucket

我使用 IAM 用户凭证管理员访问策略配置无服务器。

请问我该如何解决这个问题。

预期发生的是:在 S3 中创建存储桶

我得到的是:

Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied
amazon-s3 serverless-framework aws-serverless
2个回答
0
投票

Provider 中的iamRoleStatements 适用于 Lambda 函数,请参阅:函数的 IAM 权限

CloudFormation 似乎没有设置 S3 资源级策略的权限。

0
投票

由于最近的一些更改,似乎我们必须添加更多行才能使其正常工作。 请参阅下面所示的工作示例。

resources:
  Resources:
    ImagesBucket: 
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:service}-s3-${sls:stage}

        # Granting public access to bucket
        PublicAccessBlockConfiguration:
          BlockPublicAcls: false
          BlockPublicPolicy: false
          IgnorePublicAcls: false
          RestrictPublicBuckets: false
    ImagesBucketAllowPublicReadPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: !Ref ImagesBucket
        PolicyDocument:
          Version: "2012-10-17"
          Statement: 
            - Sid: AllowPublicReadAccess
              Effect: Allow
              Action: 
                - "s3:GetObject"
              Resource: 
                - !Join ['/', [!GetAtt [ImagesBucket, Arn], '*']]
              Principal: "*"    
              Condition:
                Bool:
                  aws:SecureTransport: 'true'
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.