将”PutObject”从Lambda使用VPCEndpoint放入S3存储桶中。

huangapple go评论68阅读模式
英文:

PutObject into an S3 bucket from Lambda using a VPCEndpoint

问题

以下是您要翻译的部分:

我在公共子网中有一个Lambda函数,没有NAT网关。

Lambda需要能够将对象放入S3存储桶。

为了允许这样做,我创建了一个网关终端节点:

    UploadsBucketS3GatewayEndpoint:
      Type: AWS::EC2::VPCEndpoint
      Properties:
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Principal: "*"
              Action:
                - s3:PutObject
              Resource:
                - !Sub 'arn:aws:s3:::${UploadsBucket}'
                - !Sub 'arn:aws:s3:::${UploadsBucket}/*'
        RouteTableIds:
          - ${cf:vpc.PublicRouteTable}
        ServiceName: com.amazonaws.${self:provider.region}.s3
        VpcId: ${cf:vpc.VpcId}

当我尝试部署以上内容时,出现以下错误:

请提供有效的VPC终端节点策略 (Service: Ec2, Status Code: 400, Request ID: xx)

我的VPC终端节点有什么问题?


附加信息

这是存储桶的完整CloudFormation配置。它位于Serverless Framework配置的"resources"部分。


  Resources:
    UploadsBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: redacted-website-name-uploads-${opt:stage}
        AccessControl: Private

    UploadsBucketPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: !Ref UploadsBucket
        PolicyDocument:
          Statement:
            - Sid: AllowGetFromCloudfront
              Effect: Allow
              Action: s3:GetObject
              Resource: !Sub 'arn:aws:s3:::${UploadsBucket}/*'
              Principal:
                AWS:
                  - !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${UploadsDistributionOAI.Id}"
            - Sid: AllowAdministrationFromVpcEndpoint
              Effect: Allow
              Action: s3:*
              Resource: !Sub 'arn:aws:s3:::${UploadsBucket}/*'
              Principal: "*"
              Condition:
                StringEquals:
                  aws:userid:
                    - !Ref UploadsBucketS3GatewayEndpoint

    UploadsDistributionOAI:
      Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
      Properties:
        CloudFrontOriginAccessIdentityConfig:
          Comment: 'OAI for CloudFront access to s3'

    UploadsDistribution:
      Type: AWS::CloudFront::Distribution
      Properties:
        DistributionConfig:
          Comment: PWB uploads
          Origins:
            - DomainName: !GetAtt UploadsBucket.RegionalDomainName
              Id: 's3-origin'
              S3OriginConfig:
                OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${UploadsDistributionOAI.Id}"
          PriceClass: PriceClass_100
          Enabled: true
          DefaultCacheBehavior:
            TargetOriginId: 's3-origin'
            ViewerProtocolPolicy: 'redirect-to-https'
            ForwardedValues:
              QueryString: 'false'
              Cookies:
                Forward: all

    # This enables lambda to talk to the uploads bucket without needing a NAT gateway
    UploadsBucketS3GatewayEndpoint:
      Type: AWS::EC2::VPCEndpoint
      Properties:
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Principal: "*"
              Action:
                - s3:PutObject
              Resource:
                - !Sub 'arn:aws:s3:::${UploadsBucket}'
                - !Sub 'arn:aws:s3:::${UploadsBucket}/*'
        RouteTableIds:
          - ${cf:vpc.PublicRouteTable}
        ServiceName: com.amazonaws.${self:provider.region}.s3
        VpcId: ${cf:vpc.VpcId}
英文:

I have a Lambda function in a public subnet with no NAT gateway.

The Lambda needs to be able to put objects in an S3 bucket.

To allow this, I have created a gateway endpoint:

    UploadsBucketS3GatewayEndpoint:
      Type: AWS::EC2::VPCEndpoint
      Properties:
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Principal: "*"
              Action:
                - s3:PutObject
              Resource:
                - !Sub 'arn:aws:s3:::${UploadsBucket}'
                - !Sub 'arn:aws:s3:::${UploadsBucket}/*'
        RouteTableIds:
          - ${cf:vpc.PublicRouteTable}
        ServiceName: com.amazonaws.${self:provider.region}.s3
        VpcId: ${cf:vpc.VpcId}

When I try to deploy the above, I get this error:

>
> Please provide a valid VPC Endpoint policy (Service: Ec2, Status Code: 400, Request ID: xx)
>

What's wrong with my VPC endpoint?


Additional info

Here is the full CloudFormation for the bucket. It is in the "resources" section of a Serverless Framework configuration.


  Resources:
    UploadsBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: redacted-website-name-uploads-${opt:stage}
        AccessControl: Private

    UploadsBucketPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: !Ref UploadsBucket
        PolicyDocument:
          Statement:
            - Sid: AllowGetFromCloudfront
              Effect: Allow
              Action: s3:GetObject
              Resource: !Sub 'arn:aws:s3:::${UploadsBucket}/*'
              Principal:
                AWS:
                  - !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${UploadsDistributionOAI.Id}"
            - Sid: AllowAdministrationFromVpcEndpoint
              Effect: Allow
              Action: s3:*
              Resource: !Sub 'arn:aws:s3:::${UploadsBucket}/*'
              Principal: "*"
              Condition:
                StringEquals:
                  aws:userid:
                    - !Ref UploadsBucketS3GatewayEndpoint

    UploadsDistributionOAI:
      Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
      Properties:
        CloudFrontOriginAccessIdentityConfig:
          Comment: 'OAI for CloudFront access to s3'

    UploadsDistribution:
      Type: AWS::CloudFront::Distribution
      Properties:
        DistributionConfig:
          Comment: PWB uploads
          Origins:
            - DomainName: !GetAtt UploadsBucket.RegionalDomainName
              Id: 's3-origin'
              S3OriginConfig:
                OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${UploadsDistributionOAI.Id}"
          PriceClass: PriceClass_100
          Enabled: true
          DefaultCacheBehavior:
            TargetOriginId: 's3-origin'
            ViewerProtocolPolicy: 'redirect-to-https'
            ForwardedValues:
              QueryString: 'false'
              Cookies:
                Forward: all

    # This enables lambda to talk to the uploads bucket without needing a NAT gateway
    UploadsBucketS3GatewayEndpoint:
      Type: AWS::EC2::VPCEndpoint
      Properties:
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Principal: "*"
              Action:
                - s3:PutObject
              Resource:
                - !Sub 'arn:aws:s3:::${UploadsBucket}'
                - !Sub 'arn:aws:s3:::${UploadsBucket}/*'
        RouteTableIds:
          - ${cf:vpc.PublicRouteTable}
        ServiceName: com.amazonaws.${self:provider.region}.s3
        VpcId: ${cf:vpc.VpcId}

答案1

得分: 1

The PolicyDocument version needed to be in quotes:

     UploadsBucketS3GatewayEndpoint:
       Type: AWS::EC2::VPCEndpoint
       Properties:
         PolicyDocument:
-          Version: 2012-10-17
+          Version: '2012-10-17'
英文:

The PolicyDocument version needed to be in quotes:

     UploadsBucketS3GatewayEndpoint:
       Type: AWS::EC2::VPCEndpoint
       Properties:
         PolicyDocument:
-          Version: 2012-10-17
+          Version: '2012-10-17'

huangapple
  • 本文由 发表于 2023年4月16日 23:42:27
  • 转载请务必保留本文链接:https://go.coder-hub.com/76028728.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定