我使用的是Serverless Framework,当我尝试访问下面配置的get和PUT专用存储桶上的签名URL时,会出现拒绝访问错误。然而,当我在iam.role.statements[0].Resource下为Resource授予*时(而不是显式引用私有bucket(,它的工作非常好。我做错了什么?在不必授予"*"权限的情况下,最好的方法是什么?
provider:
name: aws
runtime: nodejs12.x
lambdaHashingVersion: '20201221'
iam:
role:
statements:
- Effect: 'Allow'
Action:
- 's3:GetObject'
- 's3:PutObject'
Resource:
- Fn::GetAtt:
- PrivateBucket
- Arn
resources:
Resources:
PrivateBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName: private-bucket
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerEnforced
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- '*'
AllowedMethods:
- GET
- PUT
AllowedOrigins:
- '*'
您需要允许bucket和资源。
尝试通过以下方式添加资源权限:
Resource:
- !Sub arn:aws:s3:::${MyS3Bucket}
- !Sub arn:aws:s3:::${MyS3Bucket}/*