从 S3 存储桶获取对象时，aws lambda 函数的访问被拒绝

本文介绍了从 S3 存储桶获取对象时，aws lambda 函数的访问被拒绝的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我使用的是 lambda 函数的默认代码:

I'm using the default code for a lambda function:

console.log('Loading function'); var aws = require('aws-sdk'); var s3 = new aws.S3({ apiVersion: '2006-03-01' }); exports.handler = function(event, context) { //console.log('Received event:', JSON.stringify(event, null, 2)); // Get the object from the event and show its content type var bucket = event.Records[0].s3.bucket.name; var key = decodeURIComponent(event.Records[0].s3.object.key.replace(/+/g, ' ')); var params = { Bucket: bucket, Key: key }; s3.getObject(params, function(err, data) { if (err) { console.log(err); var message = "Error getting object " + key + " from bucket " + bucket + ". Make sure they exist and your bucket is in the same region as this function."; console.log(message); context.fail(message); } else { console.log('CONTENT TYPE:', data.ContentType); context.succeed(data.ContentType); } }); };

但是我收到拒绝访问错误:

However i get an access denied error:

2016-02-24T14:21:21.503Z kvyo1midvc2r69gm Loading function START RequestId: baf9049b-db01-11e5-bc34-791df91353a9 Version: $LATEST 2016-02-24T14:21:22.500Z baf9049b-db01-11e5-bc34-791df91353a9 { [AccessDenied: Access Denied] message: 'Access Denied', code: 'AccessDenied', region: null, time: Wed Feb 24 2016 14:21:22 GMT+0000 (UTC), requestId: '215CD9BB4094E209', extendedRequestId: '0kDBEyMiJYbMApEqJuAtKct2SKLI7Z7tCBVyW6QJsYwMHROvtCEDynbGSsBdqbwFcX+YrSlGnsg=', statusCode: 403, retryable: false, retryDelay: 30 } 2016-02-24T14:21:22.539Z baf9049b-db01-11e5-bc34-791df91353a9 Error getting object {"originalFilename":"c12eaadf3d3b46d9b5ded6c078534c11","versions":[{"Size":1024,"Crop":null,"Max":false,"Rotate":0}]} from bucket xmovo.originalimages.develop. Make sure they exist and your bucket is in the same region as this function. 2016-02-24T14:21:22.539Z baf9049b-db01-11e5-bc34-791df91353a9 { "errorMessage": "Error getting object {"originalFilename":"c12eaadf3d3b46d9b5ded6c078534c11","versions":[{"Size":1024,"Crop":null,"Max":false,"Rotate":0}]} from bucket xmovo.originalimages.develop. Make sure they exist and your bucket is in the same region as this function." } END RequestId: baf9049b-db01-11e5-bc34-791df91353a9 REPORT RequestId: baf9049b-db01-11e5-bc34-791df91353a9 Duration: 723.44 ms Billed Duration: 800 ms Memory Size: 128 MB Max Memory Used: 34 MB

我的 lambda 函数和我的 S3 存储桶位于同一区域US Standard"和us-east-1"，它们是相同的

My lambda function and my S3 bucket are in the same region 'US Standart' and 'us-east-1' which are the same

IAM 权限可以用于 lambda 函数，允许 GetObject 操作，(通过创建 lambda 函数的向导设置)

IAM permission are ok for lambda function, allowing to GetObject Action,(it is set with the wizard that create the lambda function)

通过所有这些检查，我不知道为什么我仍然收到拒绝访问错误

with all that check i have no clue why i still getting the Access Denied Error

提前致谢

推荐答案

查看您的日志输出，我可以看到 key 变量包含以下字符串:

Looking at your log output, I can see that the key variable contains the following string:

{"originalFilename":"c12eaadf3d3b46d9b5ded6c078534c11","versions":[{"Size":1024,"Crop":null,"Max":false,"Rotate":0}]}

我猜你打算让该变量包含字符串 "c12eaadf3d3b46d9b5ded6c078534c11".

I'm guessing you intended that variable to contain the string "c12eaadf3d3b46d9b5ded6c078534c11".

如果您无权访问或密钥不存在，S3 将返回 403 错误响应.在这两种情况下都返回访问被拒绝"是一项安全功能，可防止攻击者发现您的存储桶中实际存在哪些密钥.

S3 will return a 403 error response if you don't have access, or if the key doesn't exist. Returning "access denied" in both cases is a security feature to prevent attackers from finding out what keys actually exist in your bucket.

我认为您需要更改此行:

I think you need to change this line:

decodeURIComponent(event.Records[0].s3.object.key.replace(/+/g, ' '));

像这样:

decodeURIComponent(event.Records[0].s3.object.key.originalFilename.replace(/+/g, ' '));