Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

S3 Policy to Allow Lambda

Tags:

amazon-web-services

amazon-s3

aws-lambda

aws-sdk

I have the following policy on an S3 bucket created with the AWS policy generator to allow a lambda, running with a specific role, access to the files in the bucket. However, when I execute the Lambda, I get 403 permission denied:

"errorMessage": "Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: <requestId>)",   "errorType": "com.amazonaws.services.s3.model.AmazonS3Exception",

The Policy on the S3 bucket:

{ "Version": "2012-10-17", "Id": "Policy<number>", "Statement": [     {         "Sid": "Stmt<number>",         "Effect": "Allow",         "Principal": {             "AWS": "arn:aws:iam::<account>:role/<roleName>"         },         "Action": "s3:*",         "Resource": "arn:aws:s3:::<bucketName>/*"     } ] }

What is wrong with the policy? The Lamba is running with the role configured in the policy.

like image 985
FiguringThisOut Avatar asked Jul 24 '17 13:07

FiguringThisOut

People also ask

How do I grant Lambda access to S3 bucket?

In order to grant a Lambda function access to an S3 Bucket, we have to attach an IAM policy to the function's execution role. The policy should grant permissions for all the Actions the function needs to perform on the specified bucket.

How do you grant permission to Lambda?

You can also use resource-based policies to grant invoke permission to an AWS service that invokes a function in response to activity in your account. Open the Functions page of the Lambda console. Choose a function. Choose Configuration and then choose Permissions.

Can S3 invoke Lambda?

You can use Lambda to process event notifications from Amazon Simple Storage Service. Amazon S3 can send an event to a Lambda function when an object is created or deleted.

2 Answers

A role assigned to an AWS Lambda function should be created with an AWS Lambda role (that is selected when creating a Role in the IAM console).

Roles do not have a Principal since the permissions are assigned to whichever service (in this case, Lambda function) is using the role.

Also, you should assign permissions on the bucket itself (e.g. to list contents) and on the contents of the bucket (e.g. to GetObject).

It would be something like this:

{     "Version": "2012-10-17",     "Statement": [         {             "Sid": "AllowS3Access",             "Effect": "Allow",             "Principal": {                 "AWS": "arn:aws:iam::123XXX:role/service-role/LAMBDA_ROLE_NAME"             },             "Action": [                 "s3:*"             ],             "Resource": [                 "arn:aws:s3:::my-bucket",                 "arn:aws:s3:::my-bucket/*"             ]         }     ] }
like image 123
John Rotenstein Avatar answered Oct 09 '22 09:10

John Rotenstein

After looping for I while i could make it work, the process is:

  1. create the s3 bucket.
  2. create the IAM policy (bucket name needed)
  3. Create IAM role (IAM policy needed)
  4. Create lambda Function (IAM Role needed)
  5. Create s3 bucket policy (lambda function name needed)

IAM Policy:

 { "Version": "2012-10-17", "Statement": [     {         "Sid": "Stmt*******",         "Effect": "Allow",         "Action": [             "s3:PutObject",             "s3:PutObjectAcl",             "s3:PutObjectTagging",             "s3:PutObjectVersionAcl",             "s3:PutObjectVersionTagging"         ],         "Resource": [             "arn:aws:s3:::<bucket-name>"         ]     } ] }

and I use this policy on the s3 Bucket

{ "Id": "Policy************", "Version": "2012-10-17", "Statement": [ {   "Sid": "Stmt********",   "Action": [     "s3:PutObject",     "s3:PutObjectAcl",     "s3:PutObjectTagging",     "s3:PutObjectVersionAcl",     "s3:PutObjectVersionTagging"   ],   "Effect": "Allow",   "Resource": "arn:aws:s3:::<bucket-name>/*",   "Principal": {     "AWS": [       "arn:aws:iam::*********:role/<lambda-function-name>"           ]           }         }      ] }
like image 31
Cristian Sepulveda Avatar answered Oct 09 '22 07:10

Cristian Sepulveda
Sign in to Comment

Related questions

What is difference between AWS PrivateLink and VPC Peering?
docker run mongo image on a different port
Any AWS EB Laravel route getting 404 Not Found nginx/1.16.1
AWS Postgres DB "does not exist" when connecting with PG
How to read a csv file from an s3 bucket using Pandas in Python
On Amazon EC2, will the Spot Instance price ever be higher than the On-Demand Price?
Selecting other branch instead of master as a source repository on AWS CodeBuild
Amazon Route 53 - what do Hosted Zones and Queries mean exactly?
Amazon AWS: How to get details of terminated EC2 instance from instance id
Custom headers on Amazon S3
Visualize DynamoDB data in AWS Quicksight
AWS - Cloud formation Script to create S3 bucket and Distribution
How can I be alerted when an EBS instance is running out of space?
Fetching AWS instance metadata from within Docker container?
Permissions to access ElasticSearch from Lambda?
How to setup bastion host or Jumpbox in AWS?
Amazon S3 Expiration Date?
Could not connect to Redis node on aws
How does `aws s3 sync` determine if a file has been updated?
toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!