Amazon web services Lambda“;“拒绝访问”;当上传到S3时
我一直在和你一起工作,我遇到了一个问题。这可能是因为我对AWS和它的架构了解很少,但也许有人能给我指出正确的方向 我已经用Terraform创建了一个S3 bucket,它利用AWS的KMS提供bucket服务器端加密。从CLI上传到此bucket可以正常工作,但是当使用由serverless创建的Lambda时,它会返回并“拒绝访问” 无服务器yaml拥有上传到S3的权限,我已经在关闭SSE的情况下测试过了,它工作正常 我不明白的是如何为AWS指定密钥。我认为将其添加到服务的顶部可能会起作用(但无济于事) 以下是yaml文件:Amazon web services Lambda“;“拒绝访问”;当上传到S3时,amazon-web-services,amazon-s3,serverless-framework,Amazon Web Services,Amazon S3,Serverless Framework,我一直在和你一起工作,我遇到了一个问题。这可能是因为我对AWS和它的架构了解很少,但也许有人能给我指出正确的方向 我已经用Terraform创建了一个S3 bucket,它利用AWS的KMS提供bucket服务器端加密。从CLI上传到此bucket可以正常工作,但是当使用由serverless创建的Lambda时,它会返回并“拒绝访问” 无服务器yaml拥有上传到S3的权限,我已经在关闭SSE的情况下测试过了,它工作正常 我不明白的是如何为AWS指定密钥。我认为将其添加到服务的顶部可能会起作用(
service:
name: lambdas
awsKmsKeyArn: [KEY GOES HERE]
custom:
serverless-offline:
port: 3000
bucket:
name: evidence-bucket
serverSideEncryption: aws:kms
sseKMSKeyId: [ KEY GOES HERE]
provider:
name: aws
runtime: nodejs12.x
region: eu-west-2
iamRoleStatements:
- Effect: Allow
Action:
- s3:ListBucket
- s3:PutObject
- s3:PutObjectAcl
Resource: "arn:aws:s3:::${self:custom.bucket.name}/*"
- Effect: Allow
Action:
- kms:Encrypt
- kms:Decrypt
- kms:DescribeKey
Resource: "[KEY GOES HERE]"
functions:
storeEvidence:
handler: handler.storeEvidence
environment:
BUCKET: ${self:custom.bucket.name}
events:
- http:
path: store-evidence
method: post
iamRoleStatements:
- Effect: Allow
Action:
- s3:*
Resource: "arn:aws:s3:::${self:custom.bucket.name}/*"
- Effect: Allow
Action:
- kms:*
Resource: "[KEY GOES HERE]"
iamRoleStatements:
- Effect: Allow
Action:
- s3:*
Resource: "arn:aws:s3:::${self:custom.bucket.name}/*"
- Effect: Allow
Action:
- kms:*
Resource: "[KEY GOES HERE]"
如果这样做有效,你知道你错过了一些行动。然后是一个痛苦的过程,你会发现缺少的动作,或者如果你高兴,就把*s留在里面。正如jarmod在评论中所说,你缺少了kms:GeneratedTakey。在这里,我将向您展示需要添加到上面所示的现有yaml中的确切内容:
# ...
provider:
name: aws
runtime: nodejs12.x
region: eu-west-2
iamRoleStatements:
- Effect: Allow
Action:
- s3:ListBucket
- s3:PutObject
- s3:PutObjectAcl
Resource: "arn:aws:s3:::${self:custom.bucket.name}/*"
- Effect: Allow
Action:
- kms:Encrypt
- kms:Decrypt
- kms:DescribeKey
- kms:GenerateDataKey # <------ this is the new permission
Resource: "[KEY GOES HERE]"
#...
#。。。
供应商:
名称:aws
运行时:nodejs12.x
地区:欧盟-西-2
IAM声明:
-效果:允许
行动:
-s3:ListBucket
-s3:PutObject
-s3:PutObjectAcl
资源:“arn:aws:s3::${self:custom.bucket.name}/*”
-效果:允许
行动:
-kms:加密
-kms:解密
-kms:DescribeKey
-kms:GenerateDataKey#正如jarmod在评论中所说,您缺少kms:GenerateDataKey。在这里,我将向您展示需要添加到上面所示的现有yaml中的确切内容:
# ...
provider:
name: aws
runtime: nodejs12.x
region: eu-west-2
iamRoleStatements:
- Effect: Allow
Action:
- s3:ListBucket
- s3:PutObject
- s3:PutObjectAcl
Resource: "arn:aws:s3:::${self:custom.bucket.name}/*"
- Effect: Allow
Action:
- kms:Encrypt
- kms:Decrypt
- kms:DescribeKey
- kms:GenerateDataKey # <------ this is the new permission
Resource: "[KEY GOES HERE]"
#...
#。。。
供应商:
名称:aws
运行时:nodejs12.x
地区:欧盟-西-2
IAM声明:
-效果:允许
行动:
-s3:ListBucket
-s3:PutObject
-s3:PutObjectAcl
资源:“arn:aws:s3::${self:custom.bucket.name}/*”
-效果:允许
行动:
-kms:加密
-kms:解密
-kms:DescribeKey
-kms:GeneratedTakey#为kms:GeneratedTakey
操作添加权限。为kms:GeneratedTakey
操作添加权限。