In client-side javascript, I set:
在客户端javascript中,我设置:
AWS.config.credentials = {
"accessKeyId": ak, // starts with "AKIA..."
"secretAccessKey": sk // something long and cryptic
};
Then eventually call
然后最终打电话
var lambda = new AWS.Lambda({apiVersion: '2015-03-31'});
var params = {
FunctionName: 'my-function-name',
InvokeArgs : my_data
};
lambda.invokeAsync(params, function(err, data) {
...
The HTML request seems to contain the correct access key:
HTML请求似乎包含正确的访问密钥:
authorization:AWS4-HMAC-SHA256 Credential=AKIA...
And in server-side node.js, I don't manually set any AWS credentials, with the understanding that setting them in the client-side is sufficient, as:
在服务器端node.js中,我不会手动设置任何AWS凭据,但要了解在客户端设置它们就足够了,因为:
var AWS = require('aws-sdk');
var s3 = new AWS.S3();
...
Following the request, the server's upload handler gets called as expected, but within that handler, s3.putObject() fails with an Access Denied error. Trying to debug this, I added console.log(AWS.config.credentials) to the upload handler, and Cloudwatch is showing:
在请求之后,服务器的上传处理程序按预期调用,但在该处理程序中,s3.putObject()失败并显示Access Denied错误。尝试调试这个,我将console.log(AWS.config.credentials)添加到上传处理程序,Cloudwatch显示:
accessKeyId: 'ASIA...
I don't recognize the accessKeyId that is shown, and it certainly doesn't match the one provided in the request header. Am I doing something wrong here, or is this expected behavior?
我不认识显示的accessKeyId,它肯定与请求标头中提供的不匹配。我在这里做错了什么,或者这是预期的行为?
1 个解决方案
#1
1
The Lambda function does not use the AWS credentials you used in your client-side JavaScript code. The credentials in your client-side code were used to issue a Lambda.invoke() command to the AWS API. In this context, the credentials you are using on the client-side only need the Lambda invoke permission.
Lambda函数不使用您在客户端JavaScript代码中使用的AWS凭据。客户端代码中的凭据用于向AWS API发出Lambda.invoke()命令。在此上下文中,您在客户端使用的凭据只需要Lambda调用权限。
Your Lambda function is then invoked by AWS Lambda service. The Lambda service will attach the IAM Execution Role to the invocation that you specified when you created/configured the Lambda function. That IAM Execution Role is what needs to have the appropriate S3 access.
然后,AWS Lambda服务将调用您的Lambda函数。 Lambda服务将IAM执行角色附加到您在创建/配置Lambda函数时指定的调用。 IAM执行角色需要具有适当的S3访问权限。
#1
1
The Lambda function does not use the AWS credentials you used in your client-side JavaScript code. The credentials in your client-side code were used to issue a Lambda.invoke() command to the AWS API. In this context, the credentials you are using on the client-side only need the Lambda invoke permission.
Lambda函数不使用您在客户端JavaScript代码中使用的AWS凭据。客户端代码中的凭据用于向AWS API发出Lambda.invoke()命令。在此上下文中,您在客户端使用的凭据只需要Lambda调用权限。
Your Lambda function is then invoked by AWS Lambda service. The Lambda service will attach the IAM Execution Role to the invocation that you specified when you created/configured the Lambda function. That IAM Execution Role is what needs to have the appropriate S3 access.
然后,AWS Lambda服务将调用您的Lambda函数。 Lambda服务将IAM执行角色附加到您在创建/配置Lambda函数时指定的调用。 IAM执行角色需要具有适当的S3访问权限。