如何使用KMS在nodejs中获取/放置S3 encrypt对象?
如何使用KMS在nodejs中获取/放置S3 encrypt对象?
提问于 2016-04-26 15:41:48
我有点问题。我有几个lambda函数,如果我在本地创建脚本,并运行它,所有的工作都可以,但是如果我的代码在远程lambda上工作,我会得到错误:访问被拒绝
S3Service.prototype.PutFile = function (bucket, key, body, type, callback) {
var s3 = new this.AWS.S3({region: awsConfig.region,"signatureVersion":"v4"});
var params = {
Bucket: bucket,
Key: key,
Body: body,
ContentType: type,
ACL: 'public-read-write',
ServerSideEncryption: 'aws:kms',
SSEKMSKeyId: awsConfig.kmsKeyId
};
s3.putObject(params, function (err, res) {
if (err) {
callback(new InternalServerError(err));
} else {
callback(null);
}
});
};
S3Service.prototype.GetFile = function (params, callback) {
var s3 = new this.AWS.S3({ region: awsConfig.region,"signatureVersion":"v4"});
s3.getObject(params, function (err, data) {
if (err) {
callback(new InternalServerError(err));
} else {
callback(null, data.Body, data.ContentType);
}
});
};存储桶策略:
var policy = {
"Version": "2012-10-17",
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal": "*",
"Action":["s3:PutObject"],
"Resource": "arn:aws:s3:::" + name + "/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"aws:kms"
}
}
}
]
};正在生成kms密钥:
kms.createKey({ Description: 'qwe', KeyUsage: 'ENCRYPT_DECRYPT' }, function (err, data) {
//var keyId = data.KeyMetadata.KeyId
});如何正确地使用: ServerSideEncryption:'aws:kms‘将加密对象放入和获取到S3?
回答 1
Stack Overflow用户
回答已采纳
发布于 2016-04-26 23:12:52
这听起来像是您的lambda的角色策略有问题。lambda的作用是什么?
特别是,要确保它具有以下效果:
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::s3bucket",
"arn:aws:s3:::s3bucket/*"
]
}, {
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt"
],
"Resource": ["*"]
}]
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/36858390
复制相关文章
相似问题