Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Accessing S3 bucket from Lambda

1

Hi, I am trying to write to S3 bucket from a Lambda function after setting up the required permissions & roles but I am getting the below error:

"errorMessage": "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied",

Below is my policy file and I have assigned the associated role in Lambda function execution role. Any pointers on what I am missing here, would be really helpful. Thanks.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutAnalyticsConfiguration", "s3:PutAccessPointConfigurationForObjectLambda", "s3:GetObjectVersionTagging", "s3:DeleteAccessPoint", "s3:CreateBucket", "s3:DeleteAccessPointForObjectLambda", "s3:GetStorageLensConfigurationTagging", "s3:ReplicateObject", "s3:GetObjectAcl", "s3:GetBucketObjectLockConfiguration", "s3:DeleteBucketWebsite", "s3:GetIntelligentTieringConfiguration", "s3:PutLifecycleConfiguration", "s3:GetObjectVersionAcl", "s3:DeleteObject", "s3:CreateMultiRegionAccessPoint", "s3:GetBucketPolicyStatus", "s3:GetObjectRetention", "s3:GetBucketWebsite", "s3:GetJobTagging", "s3:GetMultiRegionAccessPoint", "s3:PutReplicationConfiguration", "s3:GetObjectAttributes", "s3:PutObjectLegalHold", "s3:InitiateReplication", "s3:GetObjectLegalHold", "s3:GetBucketNotification", "s3:PutBucketCORS", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetReplicationConfiguration", "s3:PutObject", "s3:GetObject", "s3:PutBucketNotification", "s3:DescribeJob", "s3:PutBucketLogging", "s3:GetAnalyticsConfiguration", "s3:PutBucketObjectLockConfiguration", "s3:GetObjectVersionForReplication", "s3:GetAccessPointForObjectLambda", "s3:GetStorageLensDashboard", "s3:CreateAccessPoint", "s3:GetLifecycleConfiguration", "s3:GetInventoryConfiguration", "s3:GetBucketTagging", "s3:PutAccelerateConfiguration", "s3:GetAccessPointPolicyForObjectLambda", "s3:DeleteObjectVersion", "s3:GetBucketLogging", "s3:RestoreObject", "s3:GetAccelerateConfiguration", "s3:GetObjectVersionAttributes", "s3:GetBucketPolicy", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "s3:GetObjectVersionTorrent", "s3:AbortMultipartUpload", "s3:GetBucketRequestPayment", "s3:GetAccessPointPolicyStatus", "s3:UpdateJobPriority", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "s3:GetBucketOwnershipControls", "s3:DeleteBucket", "s3:PutBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:PutIntelligentTieringConfiguration", "s3:GetMultiRegionAccessPointPolicy", "s3:GetAccessPointPolicyStatusForObjectLambda", "s3:PutMetricsConfiguration", "s3:PutBucketOwnershipControls", "s3:DeleteMultiRegionAccessPoint", "s3:UpdateJobStatus", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:GetAccessPointConfigurationForObjectLambda", "s3:PutInventoryConfiguration", "s3:GetObjectTorrent", "s3:GetStorageLensConfiguration", "s3:DeleteStorageLensConfiguration", "s3:PutBucketWebsite", "s3:PutBucketRequestPayment", "s3:PutObjectRetention", "s3:CreateAccessPointForObjectLambda", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetAccessPointPolicy", "s3:ReplicateDelete", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::<my-bukcet-name>" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:GetAccessPoint", "s3:GetAccountPublicAccessBlock", "s3:PutStorageLensConfiguration", "s3:CreateJob" ], "Resource": "*" } ] } Regards, dbeings

Temas
Sin servidorCálculoSeguridad, identidad y cumplimiento
Etiquetas
AWS LambdaPolíticas de IAM
Idioma
English
dbeing
preguntada hace 2 años1272 visualizaciones
1 Respuesta
1
Respuesta aceptada

Hi. To start, this seems like way too many permissions that your Lambda function does not need. At all.I would encourage you to remove 90% of the permissions that are set here.

With that said, assuming your policy does not actually read <my-bucket-name> in the resource, two things: For bucket level actions, having arn:aws:s3:::<bucket-name> is fine, but for objects, you need to indicate the path. For example, for all objects in the bucket, you would have arn:aws:s3:::<bucket-name>/*

Also note that if you are encrypting files in the bucket with a CMK (a KMS key that you created manually yourself, not the aws/s3 one), you need to provide the services (lambda, scripts etc.) also with access to that KMS key in order to manipulate the encryption of the files (encrypt or decrypt or both).

Hope this helps.

profile picture
JohnPreston
respondido hace 2 años
  • dbeing
    hace 2 años

    Thanks a lot. Adding object level permission to resource fixed this as below:

    "Resource": [ "arn:aws:s3:::<my-bucket-name>", "arn:aws:s3:::<my-bucket-name>/*" ]

    On broad level of permissions, these are auto-generated when I selected read and write permission on the console for Lambda access to S3. Thanks, will check on this.

    Regards, dbeing

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante