【发布时间】:2020-06-13 04:39:23
【问题描述】:
我正在尝试从我的 Lambda 代码中查询 Athena View。为不同帐户中的 S3 文件创建 Athena 表。 Athena 查询编辑器给我以下错误:
拒绝访问(服务:Amazon S3;状态代码:403;错误代码:AccessDenied;
我尝试从我的 Lambda 代码访问 Athena View。创建了 Lambda 执行角色并在另一个账户 S3 存储桶的存储桶策略中允许该角色,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2222222222:role/BAccountRoleFullAccess"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::s3_bucket/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111:role/A-Role",
"arn:aws:iam::111111111:role/B-Role"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3_bucket",
"arn:aws:s3:::s3_bucket/*"
]
}
]
}
来自 Lambda,出现以下错误:
'Status': {'State': 'FAILED', 'StateChangeReason': 'com.amazonaws.services.s3.model.AmazonS3Exception:
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 3A8953784EC73B17;
S3 Extended Request ID: LfQZdTCj7sSQWcBqVNhtHrDEnJuGxgJQxvillSHznkWIr8t5TVzSaUwNSdSNh+YzDUj+S6aOUyI=),
S3 Extended Request ID: LfQZdTCj7sSQWcBqVNhtHrDEnJuGxgJQxvillSHznkWIr8t5TVzSaUwNSdSNh+YzDUj+S6aOUyI=
(Path: s3://s3_bucket/Input/myTestFile.csv)'
此 Lambda 函数正在使用 arn:aws:iam::111111111:role/B-Role 执行角色,该角色具有对 Athena 和 S3 的完全访问权限。
请有人指导我。
【问题讨论】:
-
所以bucket在账户
2222222222中,而lambda在111111111中?
标签: amazon-web-services amazon-s3 aws-lambda amazon-iam amazon-athena