AWS学习笔记之Lambda执行权限引发的思考

最近在网上看到一道关于AWS Lambda的题,十分有意思:

复制代码
A developer has an application that uses an AWS Lambda function to upload files to Amazon S3 and needs the required permissions to
perform the task. The developer already has an IAM user with valid IAM credentials required for Amazon S3.
What should a solutions architect do to grant the permissions?
A. Add required IAM permissions in the resource policy of the Lambda function.
B. Create a signed request using the existing IAM credentials in the Lambda function.
C. Create a new IAM user and use the existing IAM credentials in the Lambda function.
D. Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.

仔细想了想,这是在问如何让Lambda有可以上传文件到S3上的权限。而IAM user和相关凭证都是配置好的。

而Lambda是需要用某种IIAM role来执行的,且这个Role是需要有S3的操作权限来上传文件的。看完四个选项,只有D是正确的。而A是用来迷惑人的,IAM permissions是加在Role上的,并不是直接配置在Lambda上。

再进一步再想,这个配置在AWS中该如何编写呢?

配置如下:

复制代码
{
  "Effect": "Allow",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::your-bucket-name/*"
}

回想一下项目中也会用serverless语法来设置IAM role有s3的一些权限,殊途同归罢了,具体serverless.yml的内容如下所示:

复制代码
service: upload-service

provider:
  name: aws
  runtime: nodejs18.x
  region: ap-northeast-1
  iamRoleStatements:
    - Effect: Allow
      Action:
        - s3:PutObject
      Resource:
        - arn:aws:s3:::test-bucket/*
  
functions:
  uploader:
    handler: handler.uploadFile
    events:
      - http:
          path: upload
          method: post

plugins:
  - serverless-offline

随后,编写对应的lambda代码,假设还是用nodejs实现(假设保存在名为handler.js的文件中):

复制代码
onst AWS = require('aws-sdk');
const s3 = new AWS.S3();

module.exports.uploadFile = async (event) => {
  const content = Buffer.from("test for lambda");
  const bucketName = "test-bucket";

  await s3.putObject({
    Bucket: bucketName,
    Key: "example.txt",
    Body: content,
  }).promise();

  return {
    statusCode: 200,
    body: JSON.stringify({ message: "Uploaded successfully" }),
  };
};
相关推荐
AWS官方合作商2 天前
打破数据枷锁:在AWS上解锁Oracle数据库的无限潜能
数据库·oracle·aws
weixin_307779133 天前
通过AWS IAM Policy Simulator进行权限验证和模拟测试
运维·系统安全·aws·安全架构·安全性测试
亚林瓜子3 天前
AWS中国云中的ETL之从aurora搬数据到s3(Glue版)
hadoop·spark·云计算·etl·aws
遥感之家4 天前
AWS下载sentinel-2原始影像
云计算·sentinel·aws
亚林瓜子4 天前
AWS中的离线计算(大数据大屏项目)
大数据·hadoop·sql·spark·云计算·aws
AWS官方合作商4 天前
AWS实战:轻松创建弹性IP,实现固定公网IP地址
tcp/ip·云计算·aws
伊织code5 天前
AWS Toolkit - 注册 AWS Builder ID 账号
云计算·aws
SkyXZ~5 天前
AWS SageMaker SDK 完整教程:从零开始云端训练你的模型
人工智能·深度学习·云计算·aws·sagemaker·boto3
weixin_307779135 天前
Redshift SQL搜索表中所有字段的值
数据仓库·sql·算法·云计算·aws
王道长服务器 | 亚马逊云6 天前
AWS Route 53 详解:不只是 DNS,还能做智能流量调度
服务器·网络·微服务·云原生·架构·云计算·aws