我想创建一个具有读取/写入特定 S3 存储桶的角色的 lambda 函数。下面是我编写的代码,但在 AWS 控制台策略中,它没有显示存储桶 arn,而是显示为s3:::[object Object]我错过了什么吗?
const role = new IAM.Role(this, 'MyRole', {
assumedBy: new IAM.ServicePrincipal('lambda.amazonaws.com'),
roleName: 'DefaultRoleName'
});
role.addToPolicy(new IAM.PolicyStatement({
resources: [lambda_source.bucketArn],
actions: ['s3:GetObject', 'lambda:InvokeFunction']
}));
// lambda_source.grantReadWrite(role) // I have tried this, and this is also outputs the same result.
const myLambda = new lambda.Function(this, 'MYLHandler', {
runtime: lambda.Runtime.NODEJS_12_X,
code: lambda.Code.fromBucket(lambda_source.bucketName, 'lambda.zip'),
handler: 'index.handler',
functionName: 'MyLambda',
role: role
});
以下是 AWS 控制台 IAM 角色策略文档中的输出:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"lambda:InvokeFunction"
],
"Resource": "arn:aws:s3:::[object Object]",
"Effect": "Allow"
}
]
}
您可以导入存储桶并授予权限:
const bucket = Bucket.fromBucketAttributes(this, 'ImportedBucket', {
bucketArn: 'arn:aws:s3:::my-bucket'
});
// now you can just call methods on the bucket
bucket.grantRead(mylambda);
lambda_source.bucketArn是一个对象,而不是你期望的字符串。打印出对象以查看其实际内容以及它是否包含带有 ARN 的字段。