AWS Lambda + S3 + SES + Gmail转发：'copyObject（）返回错误：'

Question

我完全按照您在https://github.com/arithmetric/aws-lambda-ses-forwarder上详细说明的内容，但被卡住了。没有任何Google搜索或没有选择的选项都有帮助。客户即将终止合同 - 我们一直坚持这个错误太久。

我已验证我的域名。我可以通过我的验证地址从任何地方接收电子邮件到我指定的S3存储桶。我还将''functionArn'：xxx ...''更改为'“functionArn”：“arn：aws：lambda：us-west-2：MY-ACCOUNT-ID：function：fnForwardEmailToGmail”'

然而，接收到的电子邮件都不会被转接，当我测试使用“SES电子邮件接收”功能，我得到下面的错误。

START RequestId: 7f2cd5ed-83ea-11e7-913f-55748388c69f Version: $LATEST 
2017-08-18T07:54:44.467Z 7f2cd5ed-83ea-11e7-913f-55748388c69f { level: 'info', 
    message: 'Fetching email at s3://MY-S3-BUCKET/MY-PREFIX/o3vrnil0e2ic28fgfdstrm7dfhrc2v0clambda4nbp0g1' } 
2017-08-18T07:54:46.068Z 7f2cd5ed-83ea-11e7-913f-55748388c69f { level: 'error', 
    message: 'copyObject() returned error:', 
    error: 
    { [AccessDenied: Access Denied] 
    message: 'Access Denied', 
    code: 'AccessDenied', 
    region: null, 
    time: Fri Aug 18 2017 07:54:46 GMT+0000 (UTC), 
    requestId: 'A6285517D1AF2B9D', 
    extendedRequestId: 'dfH3csS5kHLsYN4ZgIWVliYmuVb1OgCVl6KdUSdZdqwX2T+JdkfZwIyPa5KEgYFiJfZmrwXjXDI=', 
    cfId: undefined, 
    statusCode: 403, 
    retryable: false, 
    retryDelay: 32.49475641641766 }, 
    stack: 'AccessDenied: Access Denied 
    at Request.extractError (/var/task/node_modules/aws-sdk/lib/services/s3.js:473:35) 
    at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20) 
    at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10) 
    at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:615:14) 
    at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10) 
    at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12) 
    at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10 
    at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9) 
    at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:617:12) 
    at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:115:18)' } 
2017-08-18T07:54:46.127Z 7f2cd5ed-83ea-11e7-913f-55748388c69f {"errorMessage":"Error: Could not make readable copy of email."} 
END RequestId: 7f2cd5ed-83ea-11e7-913f-55748388c69f 
REPORT RequestId: 7f2cd5ed-83ea-11e7-913f-55748388c69f Duration: 1993.85 ms Billed Duration: 2000 ms Memory Size: 128 MB Max Memory Used: 32 MB 

LAMBDA角色功能POLICY

{ 
    "Version": "2016-03-04", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": [ 
      "logs:CreateLogGroup", 
      "logs:CreateLogStream", 
      "logs:PutLogEvents" 
      ], 
      "Resource": "arn:aws:logs:*:*:*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": "ses:SendRawEmail", 
      "Resource": "*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
      "s3:GetObject", 
      "s3:PutObject" 
      ], 
      "Resource": "arn:aws:s3:::MY-S3-BUCKET/*" 
     } 
    ] 
} 

我已经加入到我的LAMBDA作用两个托管角色“AmazonS3FullAccess”和“AmazonSESFullAccess”。

S3斗政策

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
     "Sid": "GiveSESPermissionToWriteEmail", 
     "Effect": "Allow", 
     "Principal": { 
      "Service": "ses.amazonaws.com" 
     }, 
     "Action": "s3:PutObject", 
     "Resource": "arn:aws:s3:::MY-S3-BUCKET/*", 
     "Condition": { 
      "StringEquals": { 
       "aws:Referer": "MY-ACCOUNT-ID" 
      } 
     } 
     } 
    ] 
} 

我要去哪里错了？请帮忙！

Answer 1

那copyObject()调用似乎是在S3中复制文件。您应该为您的角色添加S3权限。

Answer 2

我有同样的问题。在回顾了这里的GitHub设置指令https://github.com/arithmetric/aws-lambda-ses-forwarder#set-up之后，我注意到我的S3的IAM策略没有设置任何权限。

S3 service should have "Limited: Read, Write" access level.

您需要修改策略并确保最后有一个“/ *”。看下面的例子：

"Resource": "arn:aws:s3:::S3-BUCKET-NAME/*"