Fatal编程技术网
  • python/
  • Python 在AWS上将文件从s3读取到sagemaker会出现403禁止错误,但其他操作会对该文件进行操作

Python 在AWS上将文件从s3读取到sagemaker会出现403禁止错误,但其他操作会对该文件进行操作

python pandas amazon-web-services amazon-s3

Python 在AWS上将文件从s3读取到sagemaker会出现403禁止错误,但其他操作会对该文件进行操作,python,pandas,amazon-web-services,amazon-s3,amazon-sagemaker,Python,Pandas,Amazon Web Services,Amazon S3,Amazon Sagemaker,此命令: BUCKET_TO_READ='my-bucket' FILE_TO_READ='myFile' data_location = 's3://{}/{}'.format(BUCKET_TO_READ, FILE_TO_READ) df=pd.read_csv(data_location) 这是一个失败的例子 ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden 错误

此命令:

BUCKET_TO_READ='my-bucket'
FILE_TO_READ='myFile'
data_location = 's3://{}/{}'.format(BUCKET_TO_READ, FILE_TO_READ)
df=pd.read_csv(data_location)
这是一个失败的例子

ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden
错误,我无法找出原因。这应该是根据

以下是我对bucket的权限:

            "Action": [
                "s3:ListMultipartUploadParts",
                "s3:ListBucket",
                "s3:GetObjectVersionTorrent",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectTorrent",
                "s3:GetObjectTagging",
                "s3:GetObjectAcl",
                "s3:GetObject"
这些命令按预期工作:

role = get_execution_role()
region = boto3.Session().region_name
print(role)
print(region)

s3 = boto3.resource('s3')
bucket = s3.Bucket(BUCKET_TO_READ)
print(bucket.creation_date)

for my_bucket_object in bucket.objects.all():
    print(my_bucket_object)
    FILE_TO_READ = my_bucket_object.key
    break

obj = s3.Object(BUCKET_TO_READ, FILE_TO_READ)
print(obj)
所有这些打印的声明都很有效

我不确定这是否重要,但每个文件都在一个文件夹中,因此我的文件读取看起来像
文件夹/文件

该命令应将文件下载到sagemaker,但也出现了403错误:

import boto3
s3 = boto3.resource('s3')
s3.Object(BUCKET_TO_READ, FILE_TO_READ).download_file(FILE_TO_READ)
当我打开一个终端并使用

aws s3 cp AWSURI local_file_name
尝试在IAM策略中区分对象级操作和存储桶级操作。 像这样的

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",            
            "Action":   [
                "s3:GetObjectVersionTorrent",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectTorrent",
                "s3:GetObjectTagging",
                "s3:GetObjectAcl",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::bucket-name/*"
        },
        {
            "Effect": "Allow",            
            "Action":   [
                "s3:ListMultipartUploadParts",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::bucket-name"
        }
    ]
}
尝试在IAM策略中区分对象级操作和存储桶级操作。 像这样的

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",            
            "Action":   [
                "s3:GetObjectVersionTorrent",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectTorrent",
                "s3:GetObjectTagging",
                "s3:GetObjectAcl",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::bucket-name/*"
        },
        {
            "Effect": "Allow",            
            "Action":   [
                "s3:ListMultipartUploadParts",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::bucket-name"
        }
    ]
}
原因是我们授予了bucket而不是对象的权限。这将授予
“资源”:“arn:aws:s3::bucket name/”
,但不授予
“资源”:“arn:aws:s3:::bucket name/*”
原因是我们授予了bucket而不是对象的权限。这将授予
“资源”:“arn:aws:s3:::bucket name/”
,但不授予
“资源”:“arn:aws:s3:::bucket name/*”