Accessing S3 bucket from Lambda

1

Hi, I am trying to write to S3 bucket from a Lambda function after setting up the required permissions & roles but I am getting the below error:

"errorMessage": "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied",

Below is my policy file and I have assigned the associated role in Lambda function execution role. Any pointers on what I am missing here, would be really helpful. Thanks.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutAnalyticsConfiguration", "s3:PutAccessPointConfigurationForObjectLambda", "s3:GetObjectVersionTagging", "s3:DeleteAccessPoint", "s3:CreateBucket", "s3:DeleteAccessPointForObjectLambda", "s3:GetStorageLensConfigurationTagging", "s3:ReplicateObject", "s3:GetObjectAcl", "s3:GetBucketObjectLockConfiguration", "s3:DeleteBucketWebsite", "s3:GetIntelligentTieringConfiguration", "s3:PutLifecycleConfiguration", "s3:GetObjectVersionAcl", "s3:DeleteObject", "s3:CreateMultiRegionAccessPoint", "s3:GetBucketPolicyStatus", "s3:GetObjectRetention", "s3:GetBucketWebsite", "s3:GetJobTagging", "s3:GetMultiRegionAccessPoint", "s3:PutReplicationConfiguration", "s3:GetObjectAttributes", "s3:PutObjectLegalHold", "s3:InitiateReplication", "s3:GetObjectLegalHold", "s3:GetBucketNotification", "s3:PutBucketCORS", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetReplicationConfiguration", "s3:PutObject", "s3:GetObject", "s3:PutBucketNotification", "s3:DescribeJob", "s3:PutBucketLogging", "s3:GetAnalyticsConfiguration", "s3:PutBucketObjectLockConfiguration", "s3:GetObjectVersionForReplication", "s3:GetAccessPointForObjectLambda", "s3:GetStorageLensDashboard", "s3:CreateAccessPoint", "s3:GetLifecycleConfiguration", "s3:GetInventoryConfiguration", "s3:GetBucketTagging", "s3:PutAccelerateConfiguration", "s3:GetAccessPointPolicyForObjectLambda", "s3:DeleteObjectVersion", "s3:GetBucketLogging", "s3:RestoreObject", "s3:GetAccelerateConfiguration", "s3:GetObjectVersionAttributes", "s3:GetBucketPolicy", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "s3:GetObjectVersionTorrent", "s3:AbortMultipartUpload", "s3:GetBucketRequestPayment", "s3:GetAccessPointPolicyStatus", "s3:UpdateJobPriority", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "s3:GetBucketOwnershipControls", "s3:DeleteBucket", "s3:PutBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:PutIntelligentTieringConfiguration", "s3:GetMultiRegionAccessPointPolicy", "s3:GetAccessPointPolicyStatusForObjectLambda", "s3:PutMetricsConfiguration", "s3:PutBucketOwnershipControls", "s3:DeleteMultiRegionAccessPoint", "s3:UpdateJobStatus", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:GetAccessPointConfigurationForObjectLambda", "s3:PutInventoryConfiguration", "s3:GetObjectTorrent", "s3:GetStorageLensConfiguration", "s3:DeleteStorageLensConfiguration", "s3:PutBucketWebsite", "s3:PutBucketRequestPayment", "s3:PutObjectRetention", "s3:CreateAccessPointForObjectLambda", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetAccessPointPolicy", "s3:ReplicateDelete", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::<my-bukcet-name>" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:GetAccessPoint", "s3:GetAccountPublicAccessBlock", "s3:PutStorageLensConfiguration", "s3:CreateJob" ], "Resource": "*" } ] } Regards, dbeings

dbeing
demandé il y a 2 ans1078 vues
1 réponse
1
Réponse acceptée

Hi. To start, this seems like way too many permissions that your Lambda function does not need. At all.I would encourage you to remove 90% of the permissions that are set here.

With that said, assuming your policy does not actually read <my-bucket-name> in the resource, two things: For bucket level actions, having arn:aws:s3:::<bucket-name> is fine, but for objects, you need to indicate the path. For example, for all objects in the bucket, you would have arn:aws:s3:::<bucket-name>/*

Also note that if you are encrypting files in the bucket with a CMK (a KMS key that you created manually yourself, not the aws/s3 one), you need to provide the services (lambda, scripts etc.) also with access to that KMS key in order to manipulate the encryption of the files (encrypt or decrypt or both).

Hope this helps.

profile picture
répondu il y a 2 ans
  • Thanks a lot. Adding object level permission to resource fixed this as below:

    "Resource": [ "arn:aws:s3:::<my-bucket-name>", "arn:aws:s3:::<my-bucket-name>/*" ]

    On broad level of permissions, these are auto-generated when I selected read and write permission on the console for Lambda access to S3. Thanks, will check on this.

    Regards, dbeing

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions