英文:
PutObject into an S3 bucket from Lambda using a VPCEndpoint
问题
以下是您要翻译的部分:
我在公共子网中有一个Lambda函数,没有NAT网关。
Lambda需要能够将对象放入S3存储桶。
为了允许这样做,我创建了一个网关终端节点:
UploadsBucketS3GatewayEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::${UploadsBucket}'
- !Sub 'arn:aws:s3:::${UploadsBucket}/*'
RouteTableIds:
- ${cf:vpc.PublicRouteTable}
ServiceName: com.amazonaws.${self:provider.region}.s3
VpcId: ${cf:vpc.VpcId}
当我尝试部署以上内容时,出现以下错误:
请提供有效的VPC终端节点策略 (Service: Ec2, Status Code: 400, Request ID: xx)
我的VPC终端节点有什么问题?
附加信息
这是存储桶的完整CloudFormation配置。它位于Serverless Framework配置的"resources"部分。
Resources:
UploadsBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: redacted-website-name-uploads-${opt:stage}
AccessControl: Private
UploadsBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref UploadsBucket
PolicyDocument:
Statement:
- Sid: AllowGetFromCloudfront
Effect: Allow
Action: s3:GetObject
Resource: !Sub 'arn:aws:s3:::${UploadsBucket}/*'
Principal:
AWS:
- !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${UploadsDistributionOAI.Id}"
- Sid: AllowAdministrationFromVpcEndpoint
Effect: Allow
Action: s3:*
Resource: !Sub 'arn:aws:s3:::${UploadsBucket}/*'
Principal: "*"
Condition:
StringEquals:
aws:userid:
- !Ref UploadsBucketS3GatewayEndpoint
UploadsDistributionOAI:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: 'OAI for CloudFront access to s3'
UploadsDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Comment: PWB uploads
Origins:
- DomainName: !GetAtt UploadsBucket.RegionalDomainName
Id: 's3-origin'
S3OriginConfig:
OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${UploadsDistributionOAI.Id}"
PriceClass: PriceClass_100
Enabled: true
DefaultCacheBehavior:
TargetOriginId: 's3-origin'
ViewerProtocolPolicy: 'redirect-to-https'
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: all
# This enables lambda to talk to the uploads bucket without needing a NAT gateway
UploadsBucketS3GatewayEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::${UploadsBucket}'
- !Sub 'arn:aws:s3:::${UploadsBucket}/*'
RouteTableIds:
- ${cf:vpc.PublicRouteTable}
ServiceName: com.amazonaws.${self:provider.region}.s3
VpcId: ${cf:vpc.VpcId}
英文:
I have a Lambda function in a public subnet with no NAT gateway.
The Lambda needs to be able to put objects in an S3 bucket.
To allow this, I have created a gateway endpoint:
UploadsBucketS3GatewayEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::${UploadsBucket}'
- !Sub 'arn:aws:s3:::${UploadsBucket}/*'
RouteTableIds:
- ${cf:vpc.PublicRouteTable}
ServiceName: com.amazonaws.${self:provider.region}.s3
VpcId: ${cf:vpc.VpcId}
When I try to deploy the above, I get this error:
>
> Please provide a valid VPC Endpoint policy (Service: Ec2, Status Code: 400, Request ID: xx)
>
What's wrong with my VPC endpoint?
Additional info
Here is the full CloudFormation for the bucket. It is in the "resources" section of a Serverless Framework configuration.
Resources:
UploadsBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: redacted-website-name-uploads-${opt:stage}
AccessControl: Private
UploadsBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref UploadsBucket
PolicyDocument:
Statement:
- Sid: AllowGetFromCloudfront
Effect: Allow
Action: s3:GetObject
Resource: !Sub 'arn:aws:s3:::${UploadsBucket}/*'
Principal:
AWS:
- !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${UploadsDistributionOAI.Id}"
- Sid: AllowAdministrationFromVpcEndpoint
Effect: Allow
Action: s3:*
Resource: !Sub 'arn:aws:s3:::${UploadsBucket}/*'
Principal: "*"
Condition:
StringEquals:
aws:userid:
- !Ref UploadsBucketS3GatewayEndpoint
UploadsDistributionOAI:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: 'OAI for CloudFront access to s3'
UploadsDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Comment: PWB uploads
Origins:
- DomainName: !GetAtt UploadsBucket.RegionalDomainName
Id: 's3-origin'
S3OriginConfig:
OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${UploadsDistributionOAI.Id}"
PriceClass: PriceClass_100
Enabled: true
DefaultCacheBehavior:
TargetOriginId: 's3-origin'
ViewerProtocolPolicy: 'redirect-to-https'
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: all
# This enables lambda to talk to the uploads bucket without needing a NAT gateway
UploadsBucketS3GatewayEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::${UploadsBucket}'
- !Sub 'arn:aws:s3:::${UploadsBucket}/*'
RouteTableIds:
- ${cf:vpc.PublicRouteTable}
ServiceName: com.amazonaws.${self:provider.region}.s3
VpcId: ${cf:vpc.VpcId}
答案1
得分: 1
The PolicyDocument version needed to be in quotes:
UploadsBucketS3GatewayEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
- Version: 2012-10-17
+ Version: '2012-10-17'
英文:
The PolicyDocument version needed to be in quotes:
UploadsBucketS3GatewayEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
- Version: 2012-10-17
+ Version: '2012-10-17'
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论