我有一个S3存储桶,它正被多个Lambda访问。我想限制对单个文件夹的访问,这样只有一个Lambda可以访问它。
我有下面的Cloud Formation模板来创建所有资源,但我无法正确设置bucket策略条件。它限制对文件夹的访问,但当我的Lambda执行角色被指定为异常时,它不会授予对我的Lamb达的访问权限。为什么下面的模板不起作用?
ExampleBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub '${AWS::StackName}-${AWS::AccountId}-example-bucket'
ExampleBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref ExampleBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 's3:*'
Effect: Deny
Resource:
- !Sub arn:aws:s3:::${ExampleBucket}/example-folder/
- !Sub arn:aws:s3:::${ExampleBucket}/example-folder/*
Principal: '*'
Condition:
ArnNotEquals:
aws:SourceArn:
- !GetAtt LambdaExecutionRole.Arn
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub ${AWS::StackName}-handler
CodeUri: ./src
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Runtime: nodejs12.x
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
Policies:
- PolicyName: !Sub ${AWS::StackName}
PolicyDocument:
Statement:
- Action:
- s3:GetObject
- s3:ListBucket
- s3:PutObject
Effect: Allow
Resource:
- !Sub arn:aws:s3:::${ExampleBucket}
- !Sub arn:aws:s3:::${ExampleBucket}/*
- Action:
- lambda:InvokeFunction
Effect: Allow
Resource: '*'
我得到以下错误:;函数中的StoreDB错误:putStoreObject,访问密钥:示例文件夹/示例文件,AWS S3消息:Access Denied">
根据OP的评论,从aws:SourceArn更改为aws:PrincipalArn有效。