我使用 nodejs s3 包“aws-sdk”當我在我的 mac 上使用無服務器離線運行時它作業正常。s3.getSignedUrl 和 s3.listObjects 函式都可以正常作業。
但是當我運行我部署的應用程式時, s3.getSignedUrl 作業正常,但 s3.listObjects 不行。我在 CloudWatch 中收到此錯誤:
在 CloudWatch > 日志組 > /aws/lambda/mamahealth-api-stage-userFilesIndex 中:
2021-12-24T02:49:50.965Z 421e054e-d1bf-429a-b73c-402ad21c7bae ERROR AccessDenied: Access Denied
at Request.extractError (/var/task/node_modules/aws-sdk/lib/services/s3.js:714:35)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
code: 'AccessDenied',
region: 'ap-northeast-1',
time: 2021-12-24T02:49:50.960Z,
requestId: 'Q8B79GKAHPHMH3DN',
extendedRequestId: 'Nhx4ekCzotCSjGXGssFl0lQtyrWf01Gf8416FaqBALA07g3qm31avCIErDPcJWaJt 90xNz8w0o=',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 43.44595425080651
}
看起來我的 aws s3 有權限問題。
我的 aws-sdk 版本是 2.995.0
我的助手/s3.ts 代碼:
import stream from 'stream';
import { nanoid } from 'nanoid';
import axios from 'axios';
import AWS from 'aws-sdk';
import mime from 'mime-types';
import moment from 'moment-timezone';
AWS.config.update({
region: 'ap-northeast-1',
});
const s3 = new AWS.S3();
export const uploadFromStream = (key: string, fileExt: string) => {
const pass = new stream.PassThrough();
return {
writeStream: pass,
promise: s3
.upload({
Bucket: process.env.AWS_BUCKET_NAME!,
Key: key,
Body: pass,
ContentType: mime.lookup(fileExt) || undefined,
})
.promise(),
};
};
type S3FileData = {
lastModified: number;
id: string;
fileExt: string;
size: number;
};
export const listObjects = async (s3Folder: string): Promise<S3FileData[]> => {
const params = {
Bucket: process.env.AWS_BUCKET_NAME!,
Delimiter: '/',
Prefix: `${s3Folder}/`,
};
const data = await s3.listObjects(params).promise();
if (!data.Contents) return [];
const fileList: S3FileData[] = [];
for (let index = 0; index < data.Contents.length; index = 1) {
const content = data.Contents[index];
const { Size: size } = content;
const splitedKey: string[] | undefined = content.Key?.split('/');
const lastModified = moment(content.LastModified).unix();
const fileFullName =
(splitedKey && splitedKey[splitedKey.length - 1]) || '';
const fileFullNameSplited = fileFullName.split('.');
if (fileFullNameSplited.length < 2 || !size)
throw Error('no file ext or no size');
const fileExt = fileFullNameSplited.pop() as string;
const id = fileFullNameSplited.join();
fileList.push({ id, fileExt, lastModified, size });
}
return fileList;
};
export const uploadFileFromBuffer = async (
key: string,
fileExt: string,
buffer: Buffer,
) => {
return s3
.upload({
Bucket: process.env.AWS_BUCKET_NAME!,
Key: key,
Body: buffer,
ContentType: mime.lookup(fileExt) || undefined,
})
.promise();
};
export const uploadFileFromNetwork = async (
key: string,
fileExt: string,
readUrl: string,
) => {
const { writeStream, promise } = uploadFromStream(key, fileExt);
const response = await axios({
method: 'get',
url: readUrl,
responseType: 'stream',
});
response.data.pipe(writeStream);
return promise;
};
export enum S3ResourceType {
image = 'image',
report = 'report',
}
export const getSystemGeneratedFileS3Key = (
resourceType: S3ResourceType,
fileExt: string,
id?: string,
): string => {
return `system-generated/${resourceType}/${id || nanoid()}.${fileExt}`;
};
export const getUserUploadedFileS3Key = (
userId: string,
fileExt: string,
id?: string,
) => {
return `user-uploaded/${userId}/${id || nanoid()}.${fileExt}`;
};
export const downloadFile = async (key: string) => {
const params: AWS.S3.GetObjectRequest = {
Bucket: process.env.AWS_BUCKET_NAME!,
Key: key,
};
const { Body } = await s3.getObject(params).promise();
return Body;
};
export const deleteFile = (key: string) => {
const params: AWS.S3.DeleteObjectRequest = {
Bucket: process.env.AWS_BUCKET_NAME!,
Key: key,
};
return s3.deleteObject(params).promise();
};
export enum GetSignedUrlOperation {
getObject = 'getObject',
putObject = 'putObject',
}
// Change this value to adjust the signed URL's expiration
const URL_EXPIRATION_SECONDS = 300;
export type GetSignedUrlOptions = {
contentType: string;
};
/**
* getSignedUrl
* @param key s3 key
* @param putOptions If provide putOptions, will return upload file url.
* @param expirationSeconds Default expiration seconds is 300
* @returns Signed Url
*/
export const getSignedUrl = (
key: string,
putOptions?: GetSignedUrlOptions,
expirationSeconds?: number,
) => {
const contentType = putOptions?.contentType;
const operation = putOptions
? GetSignedUrlOperation.putObject
: GetSignedUrlOperation.getObject;
return s3.getSignedUrl(operation, {
Bucket: process.env.AWS_BUCKET_NAME,
Key: key,
Expires: expirationSeconds || URL_EXPIRATION_SECONDS,
ContentType: contentType,
});
};
這是我的 s3 存盤桶設定:
S3MasterResourceBucket:
Type: AWS::S3::Bucket
Properties:
AccelerateConfiguration:
AccelerationStatus: Suspended
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: TRUE
BlockPublicPolicy: TRUE
IgnorePublicAcls: TRUE
RestrictPublicBuckets: TRUE
VersioningConfiguration:
Status: Enabled
我在 serverless.yaml 中的 iam 設定:
provider:
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:Query
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
- xray:PutTraceSegments
- xray:PutTelemetryRecords
- cognito-idp:AdminAddUserToGroup
- cognito-idp:AdminUpdateUserAttributes
- cognito-idp:AdminInitiateAuth
- cognito-idp:AdminGetUser
- s3:PutObject
- s3:GetObject
- s3:DeleteObject
- s3:ListBucket
- sqs:SendMessage
Resource:
- "Fn::ImportValue": mamahealth-api-${self:provider.stage}-ImagePostProcessQueueArn
- "Fn::ImportValue": mamahealth-api-${self:provider.stage}-CognitoUserPoolMyUserPoolArn
- "Fn::ImportValue": mamahealth-api-${self:provider.stage}-CognitoUserPoolMyUserPoolArn2
- "Fn::ImportValue": mamahealth-api-${self:provider.stage}-DynamoDBMasterTableArn
- "Fn::Join":
- "/"
- - "Fn::ImportValue": mamahealth-api-${self:provider.stage}-DynamoDBMasterTableArn
- "index"
- "*"
- "Fn::Join":
- "/"
- - "Fn::ImportValue": mamahealth-api-${self:provider.stage}-S3MasterResourceBucketArn
- "*"
我在這個問題中看到了 Ermiya Eskandary 的評論:Amazon S3 getObject() 接收訪問被NodeJS 拒絕 然后我在下面檢查我的配置:
- 檔案存在
是的,因為當我使用 serverless-offline 時,此代碼可以回傳資料,但是當我運行部署的應用程式時,會拋出 403 錯誤。
const data = await s3.listObjects(params).promise();
- 在正確的區域中使用正確的密鑰和存盤桶名稱。
是的,密鑰和存盤桶名稱和區域都是正確的。
- 為具有權限的用戶提供正確的訪問密鑰和秘密訪問密鑰?
在我的 mac 中,我使用了這個命令:
aws configure
然后我正確輸入了我的團隊帳戶的訪問密鑰 ID 和密碼。
- 分配給用戶的角色。
角色是“AdministratorAccess”
uj5u.com熱心網友回復:
在您的IAM角色的最后一行,您授予權限的lambda函式來執行s3:PutObject,s3:GetObject,s3:DeleteObject和s3:ListBucket上S3MasterResourceBucketArn/*。
我相信前 3 個動作和最后一個動作有不同的資源需求。對于前 3 個(PutObject、GetObject 和 DeleteObject),資源名稱是正確的。對于最后一個(ListBucket),我相信它一定是末尾沒有星星的桶的 arn(``S3MasterResourceBucketArn`)。
作為一種好的做法,您應該將您的策略??拆分為多個陳述句,例如:
provider:
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:Query
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
Resource:
- "Fn::ImportValue": mamahealth-api-${self:provider.stage}-DynamoDBMasterTableArn
- "Fn::Join":
- "/"
- - "Fn::ImportValue": mamahealth-api-${self:provider.stage}-DynamoDBMasterTableArn
- "index"
- "*"
- Effect: Allow
Action:
- cognito-idp:AdminAddUserToGroup
- cognito-idp:AdminUpdateUserAttributes
- cognito-idp:AdminInitiateAuth
- cognito-idp:AdminGetUser
Resource:
- "Fn::ImportValue": mamahealth-api-${self:provider.stage}-CognitoUserPoolMyUserPoolArn
- "Fn::ImportValue": mamahealth-api-${self:provider.stage}-CognitoUserPoolMyUserPoolArn2
- Effect: Allow
Action:
- sqs:SendMessage
Resource:
- "Fn::ImportValue": mamahealth-api-${self:provider.stage}-ImagePostProcessQueueArn
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- Fn::ImportValue": mamahealth-api-${self:provider.stage}-S3MasterResourceBucketArn
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:DeleteObject
Resource:
- "Fn::Join":
- "/"
- - "Fn::ImportValue": mamahealth-api-${self:provider.stage}-S3MasterResourceBucketArn
- "*"
- Effect: Allow
Action:
- xray:PutTraceSegments
- xray:PutTelemetryRecords
Resource:
- "*"
轉載請註明出處,本文鏈接:https://www.uj5u.com/ruanti/397075.html
標籤:节点.js 亚马逊-s3 aws-lambda 亚马逊