Python 在AWS上将文件从s3读取到sagemaker会出现403禁止错误,但其他操作会对该文件进行操作
此命令:Python 在AWS上将文件从s3读取到sagemaker会出现403禁止错误,但其他操作会对该文件进行操作,python,pandas,amazon-web-services,amazon-s3,amazon-sagemaker,Python,Pandas,Amazon Web Services,Amazon S3,Amazon Sagemaker,此命令: BUCKET_TO_READ='my-bucket' FILE_TO_READ='myFile' data_location = 's3://{}/{}'.format(BUCKET_TO_READ, FILE_TO_READ) df=pd.read_csv(data_location) 这是一个失败的例子 ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden 错误
BUCKET_TO_READ='my-bucket'
FILE_TO_READ='myFile'
data_location = 's3://{}/{}'.format(BUCKET_TO_READ, FILE_TO_READ)
df=pd.read_csv(data_location)
这是一个失败的例子
ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden
错误,我无法找出原因。这应该是根据
以下是我对bucket的权限:
"Action": [
"s3:ListMultipartUploadParts",
"s3:ListBucket",
"s3:GetObjectVersionTorrent",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersion",
"s3:GetObjectTorrent",
"s3:GetObjectTagging",
"s3:GetObjectAcl",
"s3:GetObject"
这些命令按预期工作:
role = get_execution_role()
region = boto3.Session().region_name
print(role)
print(region)
s3 = boto3.resource('s3')
bucket = s3.Bucket(BUCKET_TO_READ)
print(bucket.creation_date)
for my_bucket_object in bucket.objects.all():
print(my_bucket_object)
FILE_TO_READ = my_bucket_object.key
break
obj = s3.Object(BUCKET_TO_READ, FILE_TO_READ)
print(obj)
所有这些打印的声明都很有效
我不确定这是否重要,但每个文件都在一个文件夹中,因此我的文件读取看起来像文件夹/文件
该命令应将文件下载到sagemaker,但也出现了403错误:
import boto3
s3 = boto3.resource('s3')
s3.Object(BUCKET_TO_READ, FILE_TO_READ).download_file(FILE_TO_READ)
当我打开一个终端并使用
aws s3 cp AWSURI local_file_name
尝试在IAM策略中区分对象级操作和存储桶级操作。 像这样的
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObjectVersionTorrent",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersion",
"s3:GetObjectTorrent",
"s3:GetObjectTagging",
"s3:GetObjectAcl",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListMultipartUploadParts",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket-name"
}
]
}
尝试在IAM策略中区分对象级操作和存储桶级操作。 像这样的
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObjectVersionTorrent",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersion",
"s3:GetObjectTorrent",
"s3:GetObjectTagging",
"s3:GetObjectAcl",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListMultipartUploadParts",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket-name"
}
]
}
原因是我们授予了bucket而不是对象的权限。这将授予
“资源”:“arn:aws:s3::bucket name/”
,但不授予“资源”:“arn:aws:s3:::bucket name/*”
原因是我们授予了bucket而不是对象的权限。这将授予“资源”:“arn:aws:s3:::bucket name/”
,但不授予“资源”:“arn:aws:s3:::bucket name/*”