问题描述
我正在尝试使用 Zappa 在 AWS lambda 上部署我的 Django 项目。这是我的zappa_settings.json:
{
"dev": {
"aws_region": "us-west-2","django_settings": "<project_name>.settings","profile_name": "zappa","project_name": "<project_name>","runtime": "python3.6","s3_bucket": "<s3_bucket_name>","timeout_seconds": 900,// defaults is 30 seconds
"manage_roles": false,"role_name": "ZappaDjangoRole","role_arn": "arn:aws:iam::<account_id>:role/ZappaDjangoRole","slim_handler": true
}
}
我收到错误
"botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied"
知道是什么原因造成的以及如何解决这个问题吗?我的理解是,Zappa 压缩了整个项目,想要上传到 AWS S3 存储桶,但是在调用 CreateBucket 操作时缺少权限。我不明白这个权限应该去哪里。
在 IAM 中,我使用 ZappaGroup 和 ZappaUserGeneralPolicy 创建了具有权限的 ZappaUserS3Policy:
我的ZappaUserGeneralPolicy:
{
"Version": "2012-10-17","Statement": [
{
"Sid": "VisualEditor0","Effect": "Allow","Action": [
"lambda:CreateFunction","s3:ListAccesspointsForObjectLambda","s3:GetAccesspoint","lambda:ListVersionsByFunction","logs:DescribeLogStreams","route53:GetHostedZone","events:PutRule","s3:PutStorageLensConfiguration","cloudformation:DescribeStackResource","lambda:GetFunctionConfiguration","iam:PutRolePolicy","apigateway:DELETE","events:ListRuleNamesByTarget","apigateway:PATCH","cloudformation:UpdateStack","events:ListRules","lambda:DeleteFunction","events:RemoveTargets","logs:FilterLogEvents","apigateway:GET","events:ListTargetsByRule","cloudformation:ListStackResources","iam:GetRole","events:DescribeRule","s3:PutAccountPublicAccessBlock","s3:ListAccesspoints","apigateway:PUT","lambda:GetFunction","s3:ListJobs","route53:ListHostedZones","route53:ChangeResourceRecordSets","cloudformation:DescribeStacks","s3:ListStorageLensConfigurations","lambda:UpdateFunctionCode","events:DeleteRule","events:PutTargets","s3:GetAccountPublicAccessBlock","lambda:AddPermission","s3:ListAllMyBuckets","cloudformation:CreateStack","cloudformation:DeleteStack","lambda:*","s3:CreateJob","apigateway:POST"
],"Resource": "*"
},{
"Sid": "VisualEditor1","Action": [
"iam:PassRole","s3:*"
],"Resource": [
"arn:aws:s3:::<s3_bucket from zappa_settings.json>","arn:aws:iam::<account_id>:role/ZappaDjangoRole"
]z
}
]
}
还有,我的ZappaUserS3Policy
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": [
"s3:ListBucket"
],"Resource": [
"arn:aws:s3:::<s3_bucket from zappa_settings.json>"
]
},{
"Effect": "Allow","Action": [
"s3:DeleteObject","s3:Getobject","s3:PutObject","s3:AbortMultipartUpload","s3:ListMultipartUploadParts","s3:ListBucketMultipartUploads"
],"Resource": [
"arn:aws:s3:::<s3_bucket from zappa_settings.json>/*"
]
}
]
}
还有,我的 ZappaDjangoRole 的信任关系:
{
"Version": "2012-10-17","Statement": [
{
"Sid": "","Principal": {
"Service": [
"events.amazonaws.com","apigateway.amazonaws.com","lambda.amazonaws.com"
]
},"Action": "sts:AssumeRole"
}
]
}
最后,这是我的ZappaRolePolicy:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": [
"logs:*"
],"Resource": "arn:aws:logs:*:*:*"
},{
"Effect": "Allow","Action": [
"lambda:GetFunctionConfiguration","lambda:UpdateFunctionConfiguration","lambda:InvokeFunction"
],"Resource": [
"*"
]
},"Action": [
"xray:PutTraceSegments","xray:PutTelemetryRecords"
],"Action": [
"ec2:AttachNetworkInterface","ec2:CreateNetworkInterface","ec2:DeleteNetworkInterface","ec2:DescribeInstances","ec2:DescribeSecurityGroups","ec2:DescribeNetworkInterfaces","ec2:DetachNetworkInterface","ec2:ModifyNetworkInterfaceAttribute","ec2:ResetNetworkInterfaceAttribute"
],"Resource": "*"
},"Action": [
"s3:*"
],"Resource": "arn:aws:s3:::*"
},"Action": [
"kinesis:*"
],"Resource": "arn:aws:kinesis:*:*:*"
},"Action": [
"sns:*"
],"Resource": "arn:aws:sns:*:*:*"
},"Action": [
"sqs:*"
],"Resource": "arn:aws:sqs:*:*:*"
},"Action": [
"dynamodb:*"
],"Resource": "arn:aws:dynamodb:*:*:*"
},"Action": [
"route53:*"
],"Resource": "*"
}
]
}
解决方法
我通过向我的用户所属的组添加以下权限来解决这个问题:
IAMFullAccess
AmazonS3FullAccess
AdministratorAccess
我的用户也有 AdministratorAccess 权限。环顾四周,我注意到所有开发运营人员都在抱怨类似的问题,并建议为用户提供完全的管理员访问权限。