Aws lambda botocore.exceptions.ClientError:调用CreateBucket操作时发生错误（AccessDenied）：拒绝访问

我正试图使用

Zappa

在AWS lambda上部署我的Django项目。这是我的

zappa\u设置。json

：

    {
    "dev": {
        "aws_region": "us-west-2",
        "django_settings": "<project_name>.settings",
        "profile_name": "zappa",
        "project_name": "<project_name>",
        "runtime": "python3.6",
        "s3_bucket": "<s3_bucket_name>",
        "timeout_seconds": 900,  // defaults is 30 seconds
        "manage_roles": false,
        "role_name": "ZappaDjangoRole",
        "role_arn": "arn:aws:iam::<account_id>:role/ZappaDjangoRole",
        "slim_handler": true
    }
}

知道是什么原因导致的吗？如何修复？我的理解是，Zappa对整个项目进行压缩，并希望将其上载到AWS S3 bucket，但在调用CreateBucket操作时缺少权限。我不明白这个许可应该放在哪里

在IAM内部，我创建了

ZappaGroup

，它使用

ZappaUserGeneralPolicy

和

ZappaUserS3Policy

拥有权限：

{
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
        "lambda:CreateFunction",
        "s3:ListAccessPointsForObjectLambda",
        "s3:GetAccessPoint",
        "lambda:ListVersionsByFunction",
        "logs:DescribeLogStreams",
        "route53:GetHostedZone",
        "events:PutRule",
        "s3:PutStorageLensConfiguration",
        "cloudformation:DescribeStackResource",
        "lambda:GetFunctionConfiguration",
        "iam:PutRolePolicy",
        "apigateway:DELETE",
        "events:ListRuleNamesByTarget",
        "apigateway:PATCH",
        "cloudformation:UpdateStack",
        "events:ListRules",
        "lambda:DeleteFunction",
        "events:RemoveTargets",
        "logs:FilterLogEvents",
        "apigateway:GET",
        "events:ListTargetsByRule",
        "cloudformation:ListStackResources",
        "iam:GetRole",
        "events:DescribeRule",
        "s3:PutAccountPublicAccessBlock",
        "s3:ListAccessPoints",
        "apigateway:PUT",
        "lambda:GetFunction",
        "s3:ListJobs",
        "route53:ListHostedZones",
        "route53:ChangeResourceRecordSets",
        "cloudformation:DescribeStacks",
        "s3:ListStorageLensConfigurations",
        "lambda:UpdateFunctionCode",
        "events:DeleteRule",
        "events:PutTargets",
        "s3:GetAccountPublicAccessBlock",
        "lambda:AddPermission",
        "s3:ListAllMyBuckets",
        "cloudformation:CreateStack",
        "cloudformation:DeleteStack",
        "lambda:*",
        "s3:CreateJob",
        "apigateway:POST"
    ],
    "Resource": "*"
    },
    {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": [
        "iam:PassRole",
        "s3:*"
    ],
    "Resource": [
        "arn:aws:s3:::<s3_bucket from zappa_settings.json>",
        "arn:aws:iam::<account_id>:role/ZappaDjangoRole"
    ]z
    }
]
}

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunctionConfiguration",
                "lambda:UpdateFunctionConfiguration",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DetachNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ResetNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:*"
            ],
            "Resource": "arn:aws:kinesis:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:*"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": "arn:aws:sqs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:*"
            ],
            "Resource": "*"
        }
    ]
}

我的

ZappaUserGeneralPolicy

：

{
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
        "lambda:CreateFunction",
        "s3:ListAccessPointsForObjectLambda",
        "s3:GetAccessPoint",
        "lambda:ListVersionsByFunction",
        "logs:DescribeLogStreams",
        "route53:GetHostedZone",
        "events:PutRule",
        "s3:PutStorageLensConfiguration",
        "cloudformation:DescribeStackResource",
        "lambda:GetFunctionConfiguration",
        "iam:PutRolePolicy",
        "apigateway:DELETE",
        "events:ListRuleNamesByTarget",
        "apigateway:PATCH",
        "cloudformation:UpdateStack",
        "events:ListRules",
        "lambda:DeleteFunction",
        "events:RemoveTargets",
        "logs:FilterLogEvents",
        "apigateway:GET",
        "events:ListTargetsByRule",
        "cloudformation:ListStackResources",
        "iam:GetRole",
        "events:DescribeRule",
        "s3:PutAccountPublicAccessBlock",
        "s3:ListAccessPoints",
        "apigateway:PUT",
        "lambda:GetFunction",
        "s3:ListJobs",
        "route53:ListHostedZones",
        "route53:ChangeResourceRecordSets",
        "cloudformation:DescribeStacks",
        "s3:ListStorageLensConfigurations",
        "lambda:UpdateFunctionCode",
        "events:DeleteRule",
        "events:PutTargets",
        "s3:GetAccountPublicAccessBlock",
        "lambda:AddPermission",
        "s3:ListAllMyBuckets",
        "cloudformation:CreateStack",
        "cloudformation:DeleteStack",
        "lambda:*",
        "s3:CreateJob",
        "apigateway:POST"
    ],
    "Resource": "*"
    },
    {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": [
        "iam:PassRole",
        "s3:*"
    ],
    "Resource": [
        "arn:aws:s3:::<s3_bucket from zappa_settings.json>",
        "arn:aws:iam::<account_id>:role/ZappaDjangoRole"
    ]z
    }
]
}

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunctionConfiguration",
                "lambda:UpdateFunctionConfiguration",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DetachNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ResetNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:*"
            ],
            "Resource": "arn:aws:kinesis:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:*"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": "arn:aws:sqs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:*"
            ],
            "Resource": "*"
        }
    ]
}

还有，我的Zappadjango角色的信任关系：

   {
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "",
    "Effect": "Allow",
    "Principal": {
        "Service": [
        "events.amazonaws.com",
        "apigateway.amazonaws.com",
        "lambda.amazonaws.com"
        ]
    },
    "Action": "sts:AssumeRole"
    }
]
}

最后，这里是我的

ZappaRolePolicy

：

{
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
        "lambda:CreateFunction",
        "s3:ListAccessPointsForObjectLambda",
        "s3:GetAccessPoint",
        "lambda:ListVersionsByFunction",
        "logs:DescribeLogStreams",
        "route53:GetHostedZone",
        "events:PutRule",
        "s3:PutStorageLensConfiguration",
        "cloudformation:DescribeStackResource",
        "lambda:GetFunctionConfiguration",
        "iam:PutRolePolicy",
        "apigateway:DELETE",
        "events:ListRuleNamesByTarget",
        "apigateway:PATCH",
        "cloudformation:UpdateStack",
        "events:ListRules",
        "lambda:DeleteFunction",
        "events:RemoveTargets",
        "logs:FilterLogEvents",
        "apigateway:GET",
        "events:ListTargetsByRule",
        "cloudformation:ListStackResources",
        "iam:GetRole",
        "events:DescribeRule",
        "s3:PutAccountPublicAccessBlock",
        "s3:ListAccessPoints",
        "apigateway:PUT",
        "lambda:GetFunction",
        "s3:ListJobs",
        "route53:ListHostedZones",
        "route53:ChangeResourceRecordSets",
        "cloudformation:DescribeStacks",
        "s3:ListStorageLensConfigurations",
        "lambda:UpdateFunctionCode",
        "events:DeleteRule",
        "events:PutTargets",
        "s3:GetAccountPublicAccessBlock",
        "lambda:AddPermission",
        "s3:ListAllMyBuckets",
        "cloudformation:CreateStack",
        "cloudformation:DeleteStack",
        "lambda:*",
        "s3:CreateJob",
        "apigateway:POST"
    ],
    "Resource": "*"
    },
    {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": [
        "iam:PassRole",
        "s3:*"
    ],
    "Resource": [
        "arn:aws:s3:::<s3_bucket from zappa_settings.json>",
        "arn:aws:iam::<account_id>:role/ZappaDjangoRole"
    ]z
    }
]
}

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunctionConfiguration",
                "lambda:UpdateFunctionConfiguration",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DetachNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ResetNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:*"
            ],
            "Resource": "arn:aws:kinesis:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:*"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": "arn:aws:sqs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:*"
            ],
            "Resource": "*"
        }
    ]
}

---

我通过向我的用户所属的组添加以下权限来解决此问题：

IAMFullAccess
AmazonS3FullAccess
AdministratorAccess

---

我的用户还具有管理员访问权限。环顾四周，我注意到所有开发人员都在抱怨类似的问题，并建议向用户提供完全的管理员访问权限。

您可以自己创建

“s3_bucket”：“

无需更新ZappaUserGeneralPolicyI中的权限，但是它不起作用，因为出于某种原因，Zappa要么想创建自己的bucket，要么只想设置权限。我知道这与权限有关，所以我试图赋予Zappa管理权限，看看这是否会起作用示例策略具有完整的“s3:*”权限，但在

ZappaUserGeneralPolicy

的第四行中，托管角色在Zappa_设置中是否具有

额外权限：[{“效果”：“允许”，“操作”：[“s3:*”]，“资源”：“*”}]