terraform/aws lambda 函数访问在 s3 上被拒绝
Posted
技术标签:
【中文标题】terraform/aws lambda 函数访问在 s3 上被拒绝【英文标题】:terraform/aws lambda function access denied on s3 【发布时间】:2021-05-19 18:07:39 【问题描述】:使用 terraform 测试 AWS 实例调度程序。代码here
看起来我的代码出现了这个错误:
错误:等待创建 CloudFormation 堆栈时出错:未能创建 CloudFormation 堆栈,请求回滚 (ROLLBACK_COMPLETE):[“未能创建以下资源:[主要]。用户请求回滚。” “您的访问已被 S3 拒绝,请确保您的请求凭据对解决方案-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip 的 GetObject 具有权限。S3 错误代码: AccessDenied.S3 错误消息:访问被拒绝(服务:AWSLambdaInternal;状态代码:403;错误代码:AccessDeniedException;请求 ID:731b7c0d-cda9-4f9e-b821-efed4cbced46;代理:null)"]
下面是部分代码:IAM policy
"InstanceSchedulerEncryptionKeyAlias":
"Type": "AWS::KMS::Alias",
"Properties":
"AliasName": "alias/instance-scheduler-encryption-key",
"TargetKeyId":
"Ref": "InstanceSchedulerEncryptionKey"
,
"SchedulerPolicy":
"Type": "AWS::IAM::Policy",
"Metadata":
"cfn_nag":
"rules_to_suppress": [
"id": "W12",
"reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions."
]
,
"Properties":
"PolicyName": "SchedulerPolicy",
"Roles": [
"Ref": "SchedulerRole"
],
"PolicyDocument":
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutRetentionPolicy",
"logs:*"
],
"Resource": [
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs:*:*:*",
"Ref": "AWS::Region"
,
"Ref": "AWS::AccountId"
,
"log-group",
"Ref": "SchedulerLogGroup"
,
"*"
]
]
,
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs:*:*:*",
"Ref": "AWS::Region"
,
"Ref": "AWS::AccountId"
,
"log-group:/aws/lambda/*"
]
]
]
,
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws-us-gov:s3:::*"
]
,
IAM 角色
"SchedulerRole":
"Type": "AWS::IAM::Role",
"Properties":
"AssumeRolePolicyDocument":
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal":
"Service": "lambda.amazonaws.com"
,
"Action": "sts:AssumeRole"
,
"Effect": "Allow",
"Principal":
"Service": "events.amazonaws.com"
,
"Action": "sts:AssumeRole"
]
,
"Path": "/"
,
我确定我的代码格式不正常,或者我在 s3 的角色或政策中遗漏了某些内容。在这里查找类似的问题,并将感谢任何关于我的代码的指针。我知道我很接近。
【问题讨论】:
【参考方案1】:您的 SchedulerPolicy 中的连接存在问题。您需要删除尾随的*:*:*。
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs:*:*:*",
"Ref": "AWS::Region"
,
"Ref": "AWS::AccountId"
,
"log-group:/aws/lambda/*"
]
]
通过上述连接,您将得到一个字符串arn:aws-us-gov:logs:*:*:*:us-east-1:0987654321:log-group:/aws/lambda/*,而不是预期的arn:aws-us-gov:logs:us-east-1:0987654321:log-group:/aws/lambda/*
【讨论】:
【参考方案2】:您无权访问this s3 object,因为您正在尝试使用本期分享的代码Is gov-Cloud supported? #11
“S3Key”:“aws-instance-scheduler/v1.3.1/instance-scheduler.zip”
该对象不再可用
$ curl -I https://aws-instance-scheduler.s3.amazonaws.com/v1.3.0/instance-scheduler.zip
HTTP/1.1 403 Forbidden
x-amz-request-id: 2663CDC7E74E1BE8
x-amz-id-2: GsWrKdNtOqqUdqR6wfWJ0pZGPqlhHD17rFvfCsqsQB09V+T3SGAc+V+HCTCIU8mj501Sbn4K7sA=
Content-Type: application/xml
Date: Tue, 16 Feb 2021 21:14:38 GMT
Server: AmazonS3
错误的意思是一样的。
您的访问已被 S3 拒绝,请确保您的请求凭证有权 GetObject for solutions-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip。
如果您以某种方式获得了代码并上传到存储桶,您可以更新您的函数,如下所示:
..
"MyFunction":
"Type": "AWS::Lambda::Function",
"Properties":
"Code":
"S3Bucket": BUCKETNAME,
"S3Key": "aws-instance-scheduler/v1.3.1/instance-scheduler.zip"
【讨论】:
感谢您的反馈。我按照问题中列出的步骤进行操作,能够按指示获取 zip,并且能够在堆栈创建中达到一个好点。然而,它卡住了 3500 万,然后因Error: Custom Resource failed to stabilize in expected time. If you are using the Python cfn-response module, you may need to update your Lambda function code so that CloudFormation can attach the updated version. 任何指针而失败!!以上是关于terraform/aws lambda 函数访问在 s3 上被拒绝的主要内容,如果未能解决你的问题,请参考以下文章
配置 Terraform AWS 提供程序时出错 - Linux
Terraform aws - 无法使用 terraform 脚本创建 AWS SFTP 服务器
Terraform:传递 AWS 系统管理器参数存储变量时,Terraform AWS 提供商凭证无效