- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hello,
From the error, it seems like you may not have sufficient permissions to access the object, ‘python.zip’ from the S3 bucket (masked as ‘xxxx-nprd-xxxx-xxx-xxxxx-us-east-2’) while trying to create Lambda layer resource in Cloudformation.
As you may already be aware, there could be multiple possible reasons for encountering the 403 Access Denied error, it may be due to missing IAM permissions or the request may also be getting denied from S3’s end. There is a detailed article [1] on troubleshooting and fixing the S3 Access Denied errors.
That being said, as the first step, I believe you should verify the permissions in the IAM user/entity which is being used to create/update the Cloudformation stack. This is because, while creating the Lambda layer resource, the Lambda execution role specified in the template is not used to fetch the object from S3, and hence you would need to verify the permissions of the IAM user/entity creating the Lambda layer from outside the template (i.e. possibly from IAM console).
Additionally, ‘GetLayerVersion’ API is specified to use a Lambda function with a layer. For functions in your AWS account, you can add this permission from your user policy on the layer version. Please check the following documentation [2] for more information depending on your use case to better understand the usage of GetLayerVersion.
Therefore, to fix the Access Denied errors, I believe you would first need to ensure that the the IAM entity responsible for creating the Lambda layer resource has the ‘s3:GetObject’ permissions or if that is fine, I would suggest you to check the listed points mentioned in article [1] for troubleshooting the error from S3’s end.
Thank you!
REFERENCES:
[1] https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/
[2] https://docs.aws.amazon.com/lambda/latest/dg/invocation-layers.html#invocation-layers-permissions
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor 3 Jahren