Permission declined when run the lambda function

Question

**Lambda function task is to give the file name that is uploaded on the S3 bucket.**

code in lambda function

```
import json
import urllib.parse
import boto3

print('Loading function')

s3 = boto3.client('s3')

def lambda_handler(event, context):
    #print("Received event: " + json.dumps(event, indent=2))

# Get the object from the event and show its content type
    bucket = event['Records'][0]['s3']['bucket']['name']
    key = urllib.parse.unquote_plus(event['Records'][0]['s3']['object']['key'], encoding='utf-8')
    try:
        response = s3.get_object(Bucket=bucket, Key=key)
        print("CONTENT TYPE: " + response['ContentType'])
        return response['ContentType']
    except Exception as e:
        print(e)
        print('Error getting object {} from bucket {}. Make sure they exist and your bucket is in the same region as this function.'.format(key, bucket))
        raise e

```

Attached permission details

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogGroup",
                "logs:CreateLogStream"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketPolicy",
                "s3-object-lambda:*"
            ],
            "Resource": "arn:aws:s3:::*/*"
        }
    ]
}
```

Read permission attached in the S3 policies but unfortunately it is throwing error

Answer

ListBucket is bucket level access, where as GetObject is object level access.

Add "arn:aws:s3:::" as well in the resource section.

{
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketPolicy",
                "s3-object-lambda:*"
            ],
            "Resource": [
                  "arn:aws:s3:::"
                  "arn:aws:s3:::*/*"
               ]
        }

Also, if lambda function is receiving events on s3 upload from eventbridge rule, then, have you added permissions in lambda function for event, so event can trigger lambda function at the time of file upload. In cloudformation, it'd look like something as below but you can add that over console as well if not done.

rLambdaInvokePermission:
          Type: 'AWS::Lambda::Permission'
          Properties:
            FunctionName: !Ref myLambdaFunction
           Action: 'lambda:InvokeFunction'
           Principal: events.amazonaws.com
           SourceArn: !GetAtt rEventRule.Arn

Hope you find this useful.

Comment here if you have additional questions, happy to help.

Abhishek

Answer

Hi there!

What exactly is the error you are getting?

Here is a [tutorial](https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html#with-s3-example-create-policy) on how to run a Lambda function responding to an S3 event notification. Based on the tutorial, your policy looks okay. Please ensure you created a role that uses this policy, and this role is configured as the Lambda function's execution role.

I hope this helps.

Permission declined when run the lambda function

관련 콘텐츠