Menu
I currently have a lambda that uses the node sdk call listObjectVersions to list all the versions of a specific file. However, I can't figure out what permission in my policy will grant the lambda permission to make this call. I've searched the AWS documentation and I can not find any information.
Here are the current permissions in my policy:
- PolicyName: S3Policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:PutObjectAcl
- s3:GetObject
- s3:GetObjectVersion
- s3:ListObjectVersions
- s3:DeleteObject
- s3:ListBucket
When I execute the lambda I get an Access Denied when making the call. I've changed my policy to allow the action s3:* and the lambda works. However, I do not want to grant full access to s3.
What Action do I need to add to allow?
993
To run the command aws s3 sync, then you need permission to s3:GetObject, s3:PutObject, and s3:ListBucket. Note: If you're using the AssumeRole API operation to access Amazon S3, you must also verify that the trust relationship is configured correctly.
To use this operation, you must have READ access to the bucket. This action is not supported by Amazon S3 on Outposts.
Amazon S3 SRR is an S3 feature that automatically replicates data between buckets within the same AWS Region. With SRR, you can set up replication at a bucket level, a shared prefix level, or an object level using S3 object tags. You can use SRR to make one or more copies of your data in the same AWS Region.
When you configure a bucket as a static website, if you want your website to be public, you can grant public read access. To make your bucket publicly readable, you must disable block public access settings for the bucket and write a bucket policy that grants public read access.
Restrict access to your S3 resources. By default, all S3 buckets are private and can be accessed only by users who are explicitly granted access. Restrict access to your S3 buckets or objects by doing the following: Writing IAM user policies that specify the users that can access specific buckets and objects.
From Actions, Resources, and Condition Keys for Amazon S3 - AWS Identity and Access Management:
ListBucketVersions: Use the versions subresource to list metadata about all of the versions of objects in a bucket.
I tested this as follows:
aws s3api list-object-versions --bucket my-bucket
It worked successfully.
The policy was:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucketVersions",
"Resource": "*"
}
]
}
So, while the naming seems a bit strange (List Object Versions vs List Bucket Versions), it is the correct permission to use.
134
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
