Lambda 函数未由 S3 事件通知触发:S3 存储桶事件配置中出现 'AccessDenied' 错误
Lambda function not triggered by S3 event notification: 'AccessDenied' error in S3 bucket event configuration
ID: cloud/aws-lambda-s3-event-notification-missing
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| AWS Lambda (runtime: Node.js 18, Python 3.11) | active | — | — | — |
| AWS S3 (standard tier) | active | — | — | — |
| AWS CLI 2.15.0 | active | — | — | — |
根因分析
S3 存储桶的事件通知配置没有调用 Lambda 函数的正确权限,通常是因为缺少 Lambda 基于资源的策略或不允许 S3 服务主体。
English
The S3 bucket's event notification configuration does not have the correct permissions to invoke the Lambda function, typically because the Lambda resource-based policy is missing or the S3 service principal is not allowed.
官方文档
https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html#with-s3-example-create-permissions解决方案
-
Add a resource-based policy to the Lambda function using AWS CLI: 'aws lambda add-permission --function-name my-function --statement-id s3-invoke --principal s3.amazonaws.com --action lambda:InvokeFunction --source-arn arn:aws:s3:::my-bucket --source-account 123456789012'
-
Use AWS CloudTrail to check the exact AccessDenied error: 'aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketNotificationConfiguration --region us-east-1' to see if the error is from S3 or Lambda.
无效尝试
常见但无效的做法:
-
90% 失败
S3 bucket policies control access to the bucket itself, not who can invoke the Lambda function. The permission must be on the Lambda function's resource-based policy.
-
70% 失败
Recreating the notification does not fix the underlying permission issue. The same error will occur if the Lambda policy is missing.