Aws lambda botocore.exceptions.ClientError:调用CreateBucket操作时发生错误(AccessDenied):拒绝访问
我正试图使用Aws lambda botocore.exceptions.ClientError:调用CreateBucket操作时发生错误(AccessDenied):拒绝访问,aws-lambda,web-deployment,zappa,python-zappa,Aws Lambda,Web Deployment,Zappa,Python Zappa,我正试图使用Zappa在AWS lambda上部署我的Django项目。这是我的zappa\u设置。json: { "dev": { "aws_region": "us-west-2", "django_settings": "<project_name>.settings", "profile_name&quo
Zappa
在AWS lambda上部署我的Django项目。这是我的zappa\u设置。json
:
{
"dev": {
"aws_region": "us-west-2",
"django_settings": "<project_name>.settings",
"profile_name": "zappa",
"project_name": "<project_name>",
"runtime": "python3.6",
"s3_bucket": "<s3_bucket_name>",
"timeout_seconds": 900, // defaults is 30 seconds
"manage_roles": false,
"role_name": "ZappaDjangoRole",
"role_arn": "arn:aws:iam::<account_id>:role/ZappaDjangoRole",
"slim_handler": true
}
}
知道是什么原因导致的吗?如何修复?我的理解是,Zappa对整个项目进行压缩,并希望将其上载到AWS S3 bucket,但在调用CreateBucket操作时缺少权限。我不明白这个许可应该放在哪里
在IAM内部,我创建了ZappaGroup
,它使用ZappaUserGeneralPolicy
和ZappaUserS3Policy
拥有权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"lambda:ListVersionsByFunction",
"logs:DescribeLogStreams",
"route53:GetHostedZone",
"events:PutRule",
"s3:PutStorageLensConfiguration",
"cloudformation:DescribeStackResource",
"lambda:GetFunctionConfiguration",
"iam:PutRolePolicy",
"apigateway:DELETE",
"events:ListRuleNamesByTarget",
"apigateway:PATCH",
"cloudformation:UpdateStack",
"events:ListRules",
"lambda:DeleteFunction",
"events:RemoveTargets",
"logs:FilterLogEvents",
"apigateway:GET",
"events:ListTargetsByRule",
"cloudformation:ListStackResources",
"iam:GetRole",
"events:DescribeRule",
"s3:PutAccountPublicAccessBlock",
"s3:ListAccessPoints",
"apigateway:PUT",
"lambda:GetFunction",
"s3:ListJobs",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"cloudformation:DescribeStacks",
"s3:ListStorageLensConfigurations",
"lambda:UpdateFunctionCode",
"events:DeleteRule",
"events:PutTargets",
"s3:GetAccountPublicAccessBlock",
"lambda:AddPermission",
"s3:ListAllMyBuckets",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"lambda:*",
"s3:CreateJob",
"apigateway:POST"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"s3:*"
],
"Resource": [
"arn:aws:s3:::<s3_bucket from zappa_settings.json>",
"arn:aws:iam::<account_id>:role/ZappaDjangoRole"
]z
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration",
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ResetNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"kinesis:*"
],
"Resource": "arn:aws:kinesis:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": "arn:aws:sqs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "arn:aws:dynamodb:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"route53:*"
],
"Resource": "*"
}
]
}
我的ZappaUserGeneralPolicy
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"lambda:ListVersionsByFunction",
"logs:DescribeLogStreams",
"route53:GetHostedZone",
"events:PutRule",
"s3:PutStorageLensConfiguration",
"cloudformation:DescribeStackResource",
"lambda:GetFunctionConfiguration",
"iam:PutRolePolicy",
"apigateway:DELETE",
"events:ListRuleNamesByTarget",
"apigateway:PATCH",
"cloudformation:UpdateStack",
"events:ListRules",
"lambda:DeleteFunction",
"events:RemoveTargets",
"logs:FilterLogEvents",
"apigateway:GET",
"events:ListTargetsByRule",
"cloudformation:ListStackResources",
"iam:GetRole",
"events:DescribeRule",
"s3:PutAccountPublicAccessBlock",
"s3:ListAccessPoints",
"apigateway:PUT",
"lambda:GetFunction",
"s3:ListJobs",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"cloudformation:DescribeStacks",
"s3:ListStorageLensConfigurations",
"lambda:UpdateFunctionCode",
"events:DeleteRule",
"events:PutTargets",
"s3:GetAccountPublicAccessBlock",
"lambda:AddPermission",
"s3:ListAllMyBuckets",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"lambda:*",
"s3:CreateJob",
"apigateway:POST"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"s3:*"
],
"Resource": [
"arn:aws:s3:::<s3_bucket from zappa_settings.json>",
"arn:aws:iam::<account_id>:role/ZappaDjangoRole"
]z
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration",
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ResetNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"kinesis:*"
],
"Resource": "arn:aws:kinesis:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": "arn:aws:sqs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "arn:aws:dynamodb:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"route53:*"
],
"Resource": "*"
}
]
}
还有,我的Zappadjango角色的信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"events.amazonaws.com",
"apigateway.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
最后,这里是我的ZappaRolePolicy
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"lambda:ListVersionsByFunction",
"logs:DescribeLogStreams",
"route53:GetHostedZone",
"events:PutRule",
"s3:PutStorageLensConfiguration",
"cloudformation:DescribeStackResource",
"lambda:GetFunctionConfiguration",
"iam:PutRolePolicy",
"apigateway:DELETE",
"events:ListRuleNamesByTarget",
"apigateway:PATCH",
"cloudformation:UpdateStack",
"events:ListRules",
"lambda:DeleteFunction",
"events:RemoveTargets",
"logs:FilterLogEvents",
"apigateway:GET",
"events:ListTargetsByRule",
"cloudformation:ListStackResources",
"iam:GetRole",
"events:DescribeRule",
"s3:PutAccountPublicAccessBlock",
"s3:ListAccessPoints",
"apigateway:PUT",
"lambda:GetFunction",
"s3:ListJobs",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"cloudformation:DescribeStacks",
"s3:ListStorageLensConfigurations",
"lambda:UpdateFunctionCode",
"events:DeleteRule",
"events:PutTargets",
"s3:GetAccountPublicAccessBlock",
"lambda:AddPermission",
"s3:ListAllMyBuckets",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"lambda:*",
"s3:CreateJob",
"apigateway:POST"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"s3:*"
],
"Resource": [
"arn:aws:s3:::<s3_bucket from zappa_settings.json>",
"arn:aws:iam::<account_id>:role/ZappaDjangoRole"
]z
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration",
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ResetNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"kinesis:*"
],
"Resource": "arn:aws:kinesis:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": "arn:aws:sqs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "arn:aws:dynamodb:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"route53:*"
],
"Resource": "*"
}
]
}
我通过向我的用户所属的组添加以下权限来解决此问题:
IAMFullAccess
AmazonS3FullAccess
AdministratorAccess
我的用户还具有管理员访问权限。环顾四周,我注意到所有开发人员都在抱怨类似的问题,并建议向用户提供完全的管理员访问权限。您可以自己创建
“s3_bucket”:“
无需更新ZappaUserGeneralPolicyI中的权限,但是它不起作用,因为出于某种原因,Zappa要么想创建自己的bucket,要么只想设置权限。我知道这与权限有关,所以我试图赋予Zappa管理权限,看看这是否会起作用示例策略具有完整的“s3:*”权限,但在ZappaUserGeneralPolicy
的第四行中,托管角色在Zappa_设置中是否具有额外权限:[{“效果”:“允许”,“操作”:[“s3:*”],“资源”:“*”}]