AWS学习笔记之Lambda执行权限引发的思考

最近在网上看到一道关于AWS Lambda的题,十分有意思:

复制代码
A developer has an application that uses an AWS Lambda function to upload files to Amazon S3 and needs the required permissions to
perform the task. The developer already has an IAM user with valid IAM credentials required for Amazon S3.
What should a solutions architect do to grant the permissions?
A. Add required IAM permissions in the resource policy of the Lambda function.
B. Create a signed request using the existing IAM credentials in the Lambda function.
C. Create a new IAM user and use the existing IAM credentials in the Lambda function.
D. Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.

仔细想了想,这是在问如何让Lambda有可以上传文件到S3上的权限。而IAM user和相关凭证都是配置好的。

而Lambda是需要用某种IIAM role来执行的,且这个Role是需要有S3的操作权限来上传文件的。看完四个选项,只有D是正确的。而A是用来迷惑人的,IAM permissions是加在Role上的,并不是直接配置在Lambda上。

再进一步再想,这个配置在AWS中该如何编写呢?

配置如下:

复制代码
{
  "Effect": "Allow",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::your-bucket-name/*"
}

回想一下项目中也会用serverless语法来设置IAM role有s3的一些权限,殊途同归罢了,具体serverless.yml的内容如下所示:

复制代码
service: upload-service

provider:
  name: aws
  runtime: nodejs18.x
  region: ap-northeast-1
  iamRoleStatements:
    - Effect: Allow
      Action:
        - s3:PutObject
      Resource:
        - arn:aws:s3:::test-bucket/*
  
functions:
  uploader:
    handler: handler.uploadFile
    events:
      - http:
          path: upload
          method: post

plugins:
  - serverless-offline

随后,编写对应的lambda代码,假设还是用nodejs实现(假设保存在名为handler.js的文件中):

复制代码
onst AWS = require('aws-sdk');
const s3 = new AWS.S3();

module.exports.uploadFile = async (event) => {
  const content = Buffer.from("test for lambda");
  const bucketName = "test-bucket";

  await s3.putObject({
    Bucket: bucketName,
    Key: "example.txt",
    Body: content,
  }).promise();

  return {
    statusCode: 200,
    body: JSON.stringify({ message: "Uploaded successfully" }),
  };
};
相关推荐
MetaverseMan8 小时前
GitHub Actions打包容器,推送 AWS ECR 并使 EKS 自动拉取以完成发版部署
云计算·aws
可观测性用观测云10 小时前
AWS MemoryDB 可观测最佳实践
aws
德育处主任Pro18 小时前
解放生产力:Amazon API Gateway 与 Amazon Lambda 的优雅组合
gateway·aws·亚马逊
在云上(oncloudai)1 天前
AWS CAF:企业云转型的战略指南
aws
_可乐无糖2 天前
AWS WebRTC:我们的业务模式
云计算·音视频·webrtc·aws
俊俏的萌妹纸4 天前
AWS云S3+Glue+EMRonEC2+ReadShift
大数据·人工智能·aws
DEMI08155 天前
AWS Certified Cloud Practitioner 认证考试总结
云计算·aws
AWS官方合作商6 天前
驾驭云端算力:在AWS上构建高性能计算(HPC)集群的完整解决方案
数据库·云计算·aws
漫路在线6 天前
记一次从外网打通AWS云
网络·安全·aws
DEMI08156 天前
AWS Partner: Accreditation (Technical)
云计算·aws