terraform/aws lambda 函数访问在 s3 上被拒绝

Posted

技术标签:

【中文标题】terraform/aws lambda 函数访问在 s3 上被拒绝【英文标题】:terraform/aws lambda function access denied on s3 【发布时间】:2021-05-19 18:07:39 【问题描述】:

使用 terraform 测试 AWS 实例调度程序。代码here

看起来我的代码出现了这个错误:

错误:等待创建 CloudFormation 堆栈时出错:未能创建 CloudFormation 堆栈,请求回滚 (ROLLBACK_COMPLETE):[“未能创建以下资源:[主要]。用户请求回滚。” “您的访问已被 S3 拒绝,请确保您的请求凭据对解决方案-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip 的 GetObject 具有权限。S3 错误代码: AccessDenied.S3 错误消息:访问被拒绝(服务:AWSLambdaInternal;状态代码:403;错误代码:AccessDeniedException;请求 ID:731b7c0d-cda9-4f9e-b821-efed4cbced46;代理:null)"]

下面是部分代码:IAM policy

"InstanceSchedulerEncryptionKeyAlias": 
    "Type": "AWS::KMS::Alias",
    "Properties": 
        "AliasName": "alias/instance-scheduler-encryption-key",
        "TargetKeyId": 
            "Ref": "InstanceSchedulerEncryptionKey"
        
    
,
"SchedulerPolicy": 
    "Type": "AWS::IAM::Policy",
    "Metadata": 
        "cfn_nag": 
            "rules_to_suppress": [
                
                    "id": "W12",
                    "reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions."
                
            ]
        
    ,
    "Properties": 
        "PolicyName": "SchedulerPolicy",
        "Roles": [
            
                "Ref": "SchedulerRole"
            
        ],
        "PolicyDocument": 
            "Version": "2012-10-17",
            "Statement": [
                
                    "Effect": "Allow",
                    "Action": [
                        "logs:CreateLogGroup",
                        "logs:CreateLogStream",
                        "logs:PutLogEvents",
                        "logs:PutRetentionPolicy",
                        "logs:*"
                    ],
                    "Resource": [
                        
                            "Fn::Join": [
                                ":",
                                [
                                    "arn:aws-us-gov:logs:*:*:*",
                                    
                                        "Ref": "AWS::Region"
                                    ,
                                    
                                        "Ref": "AWS::AccountId"
                                    ,
                                    "log-group",
                                    
                                        "Ref": "SchedulerLogGroup"
                                    ,
                                    "*"
                                ]
                            ]
                        ,
                        
                            "Fn::Join": [
                                ":",
                                [
                                    "arn:aws-us-gov:logs:*:*:*",
                                    
                                        "Ref": "AWS::Region"
                                    ,
                                    
                                        "Ref": "AWS::AccountId"
                                    ,
                                    "log-group:/aws/lambda/*"
                                ]
                            ]
                        
                    ]
                ,
                   "Effect": "Allow",
                    "Action": [
                        "s3:*"
                    ],
                    "Resource": [
                        "arn:aws-us-gov:s3:::*"
                    ]
                , 

IAM 角色

 "SchedulerRole": 
    "Type": "AWS::IAM::Role",
    "Properties": 
        "AssumeRolePolicyDocument": 
            "Version": "2012-10-17",
            "Statement": [
                
                    "Effect": "Allow",
                    "Principal": 
                        "Service": "lambda.amazonaws.com"
                    ,
                    "Action": "sts:AssumeRole"
                ,
                
                    "Effect": "Allow",
                    "Principal": 
                        "Service": "events.amazonaws.com"
                    ,
                    "Action": "sts:AssumeRole"
                
            ]
        ,
        "Path": "/"
    
,

我确定我的代码格式不正常,或者我在 s3 的角色或政策中遗漏了某些内容。在这里查找类似的问题,并将感谢任何关于我的代码的指针。我知道我很接近。

【问题讨论】:

【参考方案1】:

您的 SchedulerPolicy 中的连接存在问题。您需要删除尾随的*:*:*

"Fn::Join": [
":",
[
    "arn:aws-us-gov:logs:*:*:*",
    
        "Ref": "AWS::Region"
    ,
    
        "Ref": "AWS::AccountId"
    ,
    "log-group:/aws/lambda/*"
]
]

通过上述连接,您将得到一个字符串arn:aws-us-gov:logs:*:*:*:us-east-1:0987654321:log-group:/aws/lambda/*,而不是预期的arn:aws-us-gov:logs:us-east-1:0987654321:log-group:/aws/lambda/*

【讨论】:

【参考方案2】:

您无权访问this s3 object,因为您正在尝试使用本期分享的代码Is gov-Cloud supported? #11

“S3Key”:“aws-instance-scheduler/v1.3.1/instance-scheduler.zip”

该对象不再可用

$ curl -I https://aws-instance-scheduler.s3.amazonaws.com/v1.3.0/instance-scheduler.zip
HTTP/1.1 403 Forbidden
x-amz-request-id: 2663CDC7E74E1BE8
x-amz-id-2: GsWrKdNtOqqUdqR6wfWJ0pZGPqlhHD17rFvfCsqsQB09V+T3SGAc+V+HCTCIU8mj501Sbn4K7sA=
Content-Type: application/xml
Date: Tue, 16 Feb 2021 21:14:38 GMT
Server: AmazonS3

错误的意思是一样的。

您的访问已被 S3 拒绝,请确保您的请求凭证有权 GetObject for solutions-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip。

如果您以某种方式获得了代码并上传到存储桶,您可以更新您的函数,如下所示:



..
        "MyFunction": 
            "Type": "AWS::Lambda::Function",
            "Properties": 
                "Code": 
                    "S3Bucket": BUCKETNAME,
                    "S3Key": "aws-instance-scheduler/v1.3.1/instance-scheduler.zip"
                
            
        
    

【讨论】:

感谢您的反馈。我按照问题中列出的步骤进行操作,能够按指示获取 zip,并且能够在堆栈创建中达到一个好点。然而,它卡住了 3500 万,然后因Error: Custom Resource failed to stabilize in expected time. If you are using the Python cfn-response module, you may need to update your Lambda function code so that CloudFormation can attach the updated version. 任何指针而失败!!

以上是关于terraform/aws lambda 函数访问在 s3 上被拒绝的主要内容,如果未能解决你的问题,请参考以下文章

配置 Terraform AWS 提供程序时出错 - Linux

Terraform aws - 无法使用 terraform 脚本创建 AWS SFTP 服务器

Terraform:传递 AWS 系统管理器参数存储变量时,Terraform AWS 提供商凭证无效

Terraform aws 承担角色

定义:Terraform - AWS - aws_instance - user_data

如何使用 Terraform 配置 AWS EKS 自动扩缩器?