Menu
How can I allow specific lambda to access to a particular s3 bucket in the serverless.yml?
For example, I am porting file upload functionality to lambda by using serverless. To upload a file to a particular s3 bucket, I need to allow lambda to access to that s3 bucket. How can I do this in the serverless.yml?
904
To set ACL permissions for a bucket Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, choose the name of the bucket that you want to set permissions for. Choose Permissions. Under Access control list, choose Edit.
Yes it is absolutely possible! Make sure that you give your Lambda function the required write permissions to the target s3 bucket / key path by selecting or updating the IAM Role your lambda executes under.
You can also use resource-based policies to grant invoke permission to an AWS service that invokes a function in response to activity in your account. Open the Functions page of the Lambda console. Choose a function. Choose Configuration and then choose Permissions.
1 Create an AWS Identity and Access Management (IAM) role for the Lambda function that also grants access to the S3 bucket. 2 Set the IAM role as the Lambda function's execution role. 3 Verify that the bucket policy grants access to the Lambda function's execution role.
If the IAM role and the bucket are in different accounts, then you need to grant Amazon S3 permissions on both the IAM role and the bucket policy. Create an IAM role (execution role) for the Lambda function that also grants access to the S3 bucket
There are times where you want to access your S3 objects from Lambda executions. It’s a pretty simple process to setup, and I’ll walk us through the process from start to finish. To begin, we want to create a new IAM role that allows for Lambda execution and read-only access to S3.
Enter a resource-based IAM policy that grants access to your S3 bucket. For more information, see Using resource-based policies for AWS Lambda. Important: Replace "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*" with your S3 bucket's Amazon Resource Name (ARN).
From Serverless Framework - AWS Lambda Guide - IAM:
To add specific rights to this service-wide Role, define statements in
provider.iamRoleStatementswhich will be merged into the generated policy.
service: new-service
provider:
name: aws
iam:
role:
statements:
- Effect: 'Allow'
Action:
- 's3:ListBucket'
Resource:
Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: ServerlessDeploymentBucket
- Effect: 'Allow'
Action:
- 's3:PutObject'
Resource:
Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: ServerlessDeploymentBucket
- '/*'
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
