我正在尝试让 lambda 将/更新对象放入我的 s3 存储桶中。我没有更改任何默认存储桶设置,并将以下角色 iam 策略附加到 lambda。
{
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my_custom_bucket_name_for_dev"
}
],
"Version": "2012-10-17"
}
我不明白的是,
get
操作似乎有效,但put
不起作用
logger.info("before boto")
s3_client = boto3.client('s3'
)
objects = s3_client.list_objects_v2(Bucket='my_custom_bucket_name_for_dev')
logger.info("entering debug list")
for obj in objects.get('Contents',[]):
logger.info(f"{obj['Key']}")
some_binary_data = b'let me in'
s3 = boto3.resource('s3')
object = s3.Object('my_custom_bucket_name_for_dev', 'whatwithpermission.txt')
object.put(Body=some_binary_data)
上面生成了以下错误消息
[ERROR] ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
有人可以向我解释我做错了什么吗?因为我以为我已经向 lambda 授予了所有可能的 s3 权限。
谢谢!
Arn
arn:aws:s3:::my_custom_bucket_name_for_dev
如果仅适用于 bucket,不适用于物体。因此,任何对象级别的操作,例如 put
都会失败。正确的对象级别 Arn 是 arn:aws:s3:::my_custom_bucket_name_for_dev/*
。