无法在AWS中为Lambda函数设置S3触发器
我在互联网上一直在寻找解决这个问题的方法。我一直试图设置一个AWS函数,每次文件上传到特定的S3桶时,都会向SNS发送一条消息,据本教程说。此时,我有了函数设置,我可以成功地调用它。但是,当我试图将函数连接到S3时,我会得到一个声明An error occurred (InvalidArgument) when calling the PutBucketNotification operation: Unable to validate the following destination configurations的错误。根据这篇文章,我应该能够添加一个允许S3调用Lambda函数的权限,如下所示:
aws lambda add-permission \
--function-name my-file-upload \
--principal s3.amazonaws.com \
--statement-id AcceptFromImport \
--action "lambda:InvokeFunction" \
--source-arn arn:aws:s3:::file-import \
--source-account my_account_id我这样做了,并注意到与Lambda函数相关的策略更新了,并且似乎是正确的。但是,错误仍然存在。我看过一个类似的问题,这里,但是这里没有一个解决方案有效。
执行角色ARN:arn:aws:iam::my_account_id:role/lambda-upload-stream
执行角色(lambda-上载-流)信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}执行角色策略(我的文件上传):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessObject",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::file-import/*"
},
{
"Sid": "SendUpdate",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:ap-northeast-1:my_account_id:comm-in"
}
]
}Lambda函数ARN:arn:aws:lambda:ap-northeast-1:my_account_id:function:my-file-upload
Lambda函数角色文档
{
"roleName": "lambda-upload-stream",
"policies": [
{
"name": "my-file-upload",
"id": "AWS_ACCESS_KEY_ID",
"type": "managed",
"arn": "arn:aws:iam::my_account_id:policy/my-file-upload",
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessObject",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::file-import/*"
},
{
"Sid": "SendUpdate",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:ap-northeast-1:my_account_id:comm-in"
}
]
}
}
],
"resources": {
"s3": {
"service": {
"name": "Amazon S3",
"icon": "data:image/svg+xml;base64,very_long_base64_string1"
},
"statements": [
{
"resource": "arn:aws:s3:::file-import/*",
"service": "s3",
"effect": "Allow",
"action": "s3:GetObject",
"source": {
"index": "AccessObject",
"policyName": "my-file-upload",
"policyType": "managed"
}
}
]
},
"sns": {
"service": {
"name": "Amazon SNS",
"icon": "data:image/svg+xml;base64,very_long_base64_string2"
},
"statements": [
{
"resource": "arn:aws:sns:ap-northeast-1:my_account_id:comm-in",
"service": "sns",
"effect": "Allow",
"action": "sns:Publish",
"source": {
"index": "SendUpdate",
"policyName": "my-file-upload",
"policyType": "managed"
}
}
]
}
},
"trustedEntities": [
"lambda.amazonaws.com"
]
}Lambda函数资源策略:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:ap-northeast-1:my_account_id:function:my-file-upload",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "my_account_id"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::file-import"
}
}
}
]
}我的问题是:我在这里做错了什么,我如何解决它?
回答 2
Stack Overflow用户
发布于 2021-02-10 09:48:04
我知道问题出在哪里了。我最初的命令是:
aws s3api put-bucket-notification --bucket azure-erp-import \
--notification-configuration "CloudFunctionConfiguration={Id=file-uploaded,Events=[],Event=s3:ObjectCreated:*,CloudFunction=arn:aws:lambda:ap-northeast-1:my_account_id:function:my-file-upload,InvocationRole=arn:aws:iam::my_account_id:role/lambda-upload-stream}"这是因为arn:aws:iam::my_account_id:role/lambda-upload-stream角色没有对lambda函数调用lambda:InvokeFunction的权限,所以失败了。删除此值修正了错误。
Stack Overflow用户
发布于 2021-01-28 21:04:07
您需要创建的东西称为“基于资源的策略”,也是aws lambda add-permission应该创建的内容。
基于资源的策略允许S3调用lambda。这是lambda本身的一个属性,而不是lambda的IAM角色的一部分( lambda的IAM角色控制着lambda可以做什么,一个基于资源的策略控件,可以对lambda做什么。)您可以在aws控制台的UI中查看此资源,方法是转到您的lambda,单击“权限”并向下滚动到“基于资源的策略”。您要注意的关键字是lambda:InvokeFunction,它允许其他东西调用您的lambda,包括其他AWS帐户和您帐户上的其他AWS服务(比如s3)。
尽管如此,您运行的命令应该已经创建了此策略。在运行命令时,是否确保用实际的帐户id替换my_account_id?
此外,请确保用存储桶的实际ARN替换--source-arn arn:aws:s3:::file-import (我假设您必须创建一个具有不同名称的桶,因为s3桶必须具有全局唯一的名称,而且file-import几乎肯定已经使用了)
https://stackoverflow.com/questions/65914588
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号