Menu
I'm sure I've set up my Lambda to have read/write access to the private bucket; more specifically, my lambda will execute s3.headObject and s3.upload. What am I missing to get this to work?
My Lambda's policy:
{
"Statement": [
{
"Resource": "arn:aws:logs:us-east-1:*:*",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow"
},
{
"Resource": "arn:aws:s3:::PRIVATE_BUCKET/folder_name/*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
My S3 buckets policy:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Bucket that is read-accessible internally",
"Parameters" : {
"Environment" : {
"Description" : "dev",
"Type" : "String",
"Default" : "dev",
"AllowedValues" : [ "dev" ]
}
},
"Resources" : {
"PrivateBucket" : {
"Type" : "AWS::S3::Bucket",
"DeletionPolicy" : "Retain",
},
"PrivateBucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "Make anonymous read-only access available on certain networks",
"Statement" : [
{
"Sid" : "IPAllow",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [
"s3:ListBucket",
"s3:GetObject"
],
"Resource" : [
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "PrivateBucket" } ] ] },
{ "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "PrivateBucket" }, "/*" ] ] }
],
"Condition" : {
"IpAddress" : {
"aws:SourceIp" : [
"ip/cid/r",
"ip/cid/r",
"ip/cid/r",
"ip/cid/r",
"ip/cid/r"
]
}
}
}
]
},
"Bucket" : { "Ref" : "PrivateBucket" }
}
}
}
}
830
The "403 Access Denied" error can occur due to the following reasons: Your AWS Identity and Access Management (IAM) user or role doesn't have permissions for both s3:GetBucketPolicy and s3:PutBucketPolicy. The bucket policy denies your IAM identity permission for s3:GetBucketPolicy and s3:PutBucketPolicy.
If the permissions between a Lambda function and an Amazon S3 bucket are incomplete or incorrect, then Lambda returns an Access Denied error.
see doc http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectHEAD.html
If you have the s3:ListBucket permission on the bucket, Amazon S3 will return a HTTP status code 404 ("no such key") error.
If you don’t have the s3:ListBucket permission, Amazon S3 will return a HTTP status code 403 ("access denied") error.
my code was trying to run headobject on a nonexistent item; so the error that i got was "forbidden" which was correct, since i didnt have the listbucket permission for neither the s3 bucket nor the lambda...
180
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
