Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Docker container image Lambda setting S3 permissions

0

Hi, I have a docker container image lambda that needs to download a file from S3 and process it, next part of the code:

s3 = boto3.client('s3', region_name="us-east-2")
s3.download_file(Bucket=bucket, Key=key_file, Filename=local_file)
# --> Process the file <-- #

I create a role and a trust policy, and attach them to the lambda:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

And Im getting the error:

[ERROR] ClientError: An error occurred (400) when calling the HeadObject operation: Bad Request

But, when i add an user credentials directly in the code (like next line of code), it works well.

 s3 = boto3.client('s3', region_name="us-east-2", aws_access_key_id=os.environ.get('AWS_ACCESS_KEY_ID'), aws_secret_access_key=os.environ.get('AWS_SECRET_ACCESS_KEY'))

Is there I way to solve this issue without including credenciatials to code?

Themen
ServerlosKalkulationBehälter
Tags
ServerlosAWS LambdaBehälter
Sprache
English
ilfoxo
gefragt vor 9 Monaten544 Aufrufe
1 Antwort
0

Hi, everything seems correct for what you detailled. But, one last piece is missing: did you assign the role that you created as execution role of the lambda when you created it ?

See https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html

On aws lambda get-function --function-name my-function do you see Role: with ARN of your role as below?

{
    "Concurrency": {
        "ReservedConcurrentExecutions": 100
    },
    "Code": {
        "RepositoryType": "S3",
        "Location": "https://awslambda-us-west-2-tasks.s3.us-west-2.amazonaws.com/snapshots/123456789012/my-function..."
    },
    "Configuration": {
        "TracingConfig": {
            "Mode": "PassThrough"
        },
        "Version": "$LATEST",
        "CodeSha256": "5tT2qgzYUHoqwR616pZ2dpkn/0J1FrzJmlKidWaaCgk=",
        "FunctionName": "my-function",
        "VpcConfig": {
            "SubnetIds": [],
            "VpcId": "",
            "SecurityGroupIds": []
        },
        "MemorySize": 128,
        "RevisionId": "28f0fb31-5c5c-43d3-8955-03e76c5c1075",
        "CodeSize": 304,
        "FunctionArn": "arn:aws:lambda:us-west-2:123456789012:function:my-function",
        "Handler": "index.handler",
        "Role": "arn:aws:iam::123456789012:role/service-role/helloWorldPython-role-uy3l9qyq",
        "Timeout": 3,
        "LastModified": "2019-09-24T18:20:35.054+0000",
        "Runtime": "nodejs10.x",
        "Description": ""
    }
}

Best,

Didier

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor 9 Monaten
  • ilfoxo
    vor 9 Monaten

    Hi Didier, Yes. The role is assigned to the lambda:

    aws lambda get-function --function-name Html2PdfFunction --profile generic-dev

...

 "FunctionName": "Html2PdfFunction",
        "FunctionArn": "arn:aws:lambda:us-east-2:XXXXXXXXXXX:function:Html2PdfFunction",
        "Role": "arn:aws:iam::XXXXXXXXXX:role/Html2Pdf-Html2PdfFunctionRole-T6K1VD2OYKDC",
        "CodeSize": 0,
        "Description": "",
        "Timeout": 300,

...

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt