Menu
I have the following policy on an S3 bucket created with the AWS policy generator to allow a lambda, running with a specific role, access to the files in the bucket. However, when I execute the Lambda, I get 403 permission denied:
"errorMessage": "Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: <requestId>)", "errorType": "com.amazonaws.services.s3.model.AmazonS3Exception", The Policy on the S3 bucket:
{ "Version": "2012-10-17", "Id": "Policy<number>", "Statement": [ { "Sid": "Stmt<number>", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account>:role/<roleName>" }, "Action": "s3:*", "Resource": "arn:aws:s3:::<bucketName>/*" } ] } What is wrong with the policy? The Lamba is running with the role configured in the policy.
985
In order to grant a Lambda function access to an S3 Bucket, we have to attach an IAM policy to the function's execution role. The policy should grant permissions for all the Actions the function needs to perform on the specified bucket.
You can also use resource-based policies to grant invoke permission to an AWS service that invokes a function in response to activity in your account. Open the Functions page of the Lambda console. Choose a function. Choose Configuration and then choose Permissions.
You can use Lambda to process event notifications from Amazon Simple Storage Service. Amazon S3 can send an event to a Lambda function when an object is created or deleted.
A role assigned to an AWS Lambda function should be created with an AWS Lambda role (that is selected when creating a Role in the IAM console).
Roles do not have a Principal since the permissions are assigned to whichever service (in this case, Lambda function) is using the role.
Also, you should assign permissions on the bucket itself (e.g. to list contents) and on the contents of the bucket (e.g. to GetObject).
It would be something like this:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3Access", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123XXX:role/service-role/LAMBDA_ROLE_NAME" }, "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } ] } After looping for I while i could make it work, the process is:
IAM Policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt*******", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::<bucket-name>" ] } ] } and I use this policy on the s3 Bucket
{ "Id": "Policy************", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt********", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::<bucket-name>/*", "Principal": { "AWS": [ "arn:aws:iam::*********:role/<lambda-function-name>" ] } } ] } If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
