AWS Lambda can't delete Amazon S3 object

Question

I'm trying to create an AWS Lambda function, which processes a file uploaded to the first bucket, then saves it to the second bucket and then deletes the input file.

The problem is that when I'm trying to delete the file I'm getting

{
  "message": "Access Denied",
  "code": "AccessDenied",
  "time": "2015-02-09T22:08:45.926Z",
  "statusCode": 403,
  "retryable": false,
  "retryDelay": 30
}

The code snippet, which tries to delete the file is

s3.deleteObject({
    Bucket: inputBucket,
    Key: inputKey
}, function(a, b) {
    if (a) {
        console.error("Error on delete");
        console.error(a);
    } else {
        console.log("Deleted successfully");
    }
});

Answer 1

The possible reason why lambda wasn't able to delete the file ( S3 object ) could be due to the Lambda's Execution Role.

Steps to solve this

1. Navigate to the IAM in AWS Management Console
2. Look up for the IAM Role used ( or created ) for the lambda ( if it is default it would be lambda_exec_role )
3. Go to Attach Role Policy -> Custom Policy and add the below IAM Policy Document

---

{
  "Statement": [
    {
      "Sid": "Stmt1423535846414",
      "Action": [
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Answer 2

Go to IAM -> Roles -> <assigned-role-name> -> Permissions -> <policy-name>

Make sure your policy has the following:

{
    "Statement": [
        {
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::<my-bucket>",
                "arn:aws:s3:::<my-bucket>/*"
            ],
            "Effect": "Allow"
        }

    ]
}

Note: arn:aws:s3:::<my-bucket> is for accessing my-bucket whereas arn:aws:s3:::<my-bucket>/* is for accessing all objects under my-bucket. They are similar but not the same. They need to be both present to ensure lambda has full S3 access

Hope this helps