我有一個GetObject向 S3 存盤桶發出請求的 Lambda 函式。
但是,我收到以下錯誤:
AccessDenied: Access Denied
at deserializeAws_restXmlGetObjectCommandError (/node_modules/@aws-sdk/client-s3/dist-cjs/protocols/Aws_restXml.js:6284:41)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at /node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:6:20
at /node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:11:20
at StandardRetryStrategy.retry (/node_modules/@aws-sdk/middleware-retry/dist-cjs/StandardRetryStrategy.js:51:46)
at /node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:6:22
at GetS3Data (/src/input.ts:21:26)
at Main (/src/main.ts:8:34)
at Runtime.run [as handler] (/handler.ts:6:9) {
Code: 'AccessDenied',
RequestId: '3K61PMQGW4825D3W',
HostId: '5PpmWpu2I4WZPx37Y0pRfDAcdCmjX8fchuE HLpUzy7uqoJirtb9Os0g96kWfluM/ctkn/mEC5o=',
'$fault': 'client',
'$metadata': {
httpStatusCode: 403,
requestId: undefined,
extendedRequestId: '5PpmWpu2I4WZPx37Y0pRfDAcdCmjX8fchuE HLpUzy7uqoJirtb9Os0g96kWfluM/ctkn/mEC5o=',
cfId: undefined,
attempts: 1,
totalRetryDelay: 0
}
}
我已授予訪問 Lambda 函式的權限以發出此請求。
問題是什么?
serverless.ts
import type { AWS } from "@serverless/typescript";
const serverlessConfiguration: AWS = {
service: "affiliations",
frameworkVersion: "2",
custom: {
esbuild: {
bundle: true,
minify: false,
sourcemap: true,
exclude: ["aws-sdk"],
target: "node14",
define: { "require.resolve": undefined },
platform: "node",
},
},
plugins: ["serverless-esbuild"],
provider: {
name: "aws",
region: "us-east-2",
runtime: "nodejs14.x",
apiGateway: {
minimumCompressionSize: 1024,
shouldStartNameWithService: true,
},
environment: {
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1",
NODE_OPTIONS: "--enable-source-maps --stack-trace-limit=1000",
},
lambdaHashingVersion: "20201221",
vpc: {
securityGroupIds: ["<redacted>"],
subnetIds: ["redacted>"],
},
iam: {
role: {
statements: [
{
Effect: "Allow",
Action: ["s3:GetObject"],
Resource: "<redacted>",
},
],
},
},
},
useDotenv: true,
// import the function via paths
functions: {
run: {
handler: "handler.run",
timeout: 300,
events: [
{
sns: {
arn: "<redacted>",
},
},
],
},
},
};
module.exports = serverlessConfiguration;
s3.ts
export const GetS3Data = async (payload: GetObjectRequest) => {
try {
const response = await S3Service.getObject(payload);
const result = await new Promise((resolve, reject) => {
const data = [];
response.Body.on("data", (chunk) => data.push(chunk));
response.Body.on("err", reject);
response.Body.once("end", () => resolve(data.join("")));
});
return [result, null];
} catch (err) {
Logger.error({
method: "GetS3Data",
error: err.stack,
});
return [null, err];
}
};
package.json
"@aws-sdk/client-s3": "^3.36.0",
uj5u.com熱心網友回復:
忘記添加/*到資源末尾
Resource: "<redacted>/*",
uj5u.com熱心網友回復:
您的403 Access Denied錯誤掩蓋了404 Not Found錯誤,因為您的代碼和無服務器配置看起來非常好,并且只要您正確指定了資源,就可以按預期作業。
如果您沒有正確的s3:ListBucket權限,404 Not Found并且指定密鑰的物件不存在,則 S3 端點將不會回傳錯誤。
GetObject的API 參考強調了這個細微差別:
如果您對存盤桶擁有 s3:ListBucket 權限,Amazon S3 將回傳 HTTP 狀態代碼 404(“無此類密鑰”)錯誤。
如果您沒有 s3:ListBucket 權限,Amazon S3 將回傳 HTTP 狀態代碼 403(“訪問被拒絕”)錯誤。
這是為了防止攻擊者列舉公共存盤桶并了解存盤桶中實際存在哪些物件。
在這種情況下,如果沒有 404,則不允許泄漏有關物件是否存在的Invalid Credentials資訊(就像登錄頁面上的訊息,而不是Invalid Password指示具有提供的用戶名的用戶存在)。
向 Lambda 提供權限以執行s3:ListBucket操作以取消屏蔽 404 錯誤和/或最終仔細檢查您GetObjectRequest以確保為確實存在的物件正確指定了密鑰:
iam: {
role: {
statements: [
{
Effect: "Allow",
Action: ["s3:GetObject", "s3:ListBucket"],
Resource: "<redacted>",
},
],
},
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/qukuanlian/318847.html
標籤:节点.js 亚马逊网络服务 亚马逊-s3 aws-lambda 无服务器框架
上一篇:是否有可能使用Next.js Styled-Components和靜態主機(例如S3)制定有意義/安全的內容安全策略
下一篇:容器與用戶本地系統檔案路徑的通信