By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Permission declined when run the lambda function

0

Lambda function task is to give the file name that is uploaded on the S3 bucket.

code in lambda function

import json
import urllib.parse
import boto3

print('Loading function')

s3 = boto3.client('s3')


def lambda_handler(event, context):
    #print("Received event: " + json.dumps(event, indent=2))

    # Get the object from the event and show its content type
    bucket = event['Records'][0]['s3']['bucket']['name']
    key = urllib.parse.unquote_plus(event['Records'][0]['s3']['object']['key'], encoding='utf-8')
    try:
        response = s3.get_object(Bucket=bucket, Key=key)
        print("CONTENT TYPE: " + response['ContentType'])
        return response['ContentType']
    except Exception as e:
        print(e)
        print('Error getting object {} from bucket {}. Make sure they exist and your bucket is in the same region as this function.'.format(key, bucket))
        raise e

Attached permission details

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogGroup",
                "logs:CreateLogStream"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketPolicy",
                "s3-object-lambda:*"
            ],
            "Resource": "arn:aws:s3:::*/*"
        }
    ]
}

Read permission attached in the S3 policies but unfortunately it is throwing error

  • Arthur Lopes
    8 months ago

    Can you please share the error message ?

Topics
ServerlessCompute
Tags
AWS Lambda
Language
English
Vithushan
asked 8 months ago350 views
2 Answers
0

Hi there!

What exactly is the error you are getting?

Here is a tutorial on how to run a Lambda function responding to an S3 event notification. Based on the tutorial, your policy looks okay. Please ensure you created a role that uses this policy, and this role is configured as the Lambda function's execution role.

I hope this helps.

profile pictureAWS
EXPERT
Jose Guay
answered 8 months ago
0

ListBucket is bucket level access, where as GetObject is object level access.

Add "arn:aws:s3:::<bucket_name>" as well in the resource section.

          {
        "Effect": "Allow",
        "Action": [
            "s3:GetObject",
            "s3:ListBucket",
            "s3:GetBucketPolicy",
            "s3-object-lambda:*"
        ],
        "Resource": [
              "arn:aws:s3:::<bucket_name>"
              "arn:aws:s3:::*/*"
           ]
    }

Also, if lambda function is receiving events on s3 upload from eventbridge rule, then, have you added permissions in lambda function for event, so event can trigger lambda function at the time of file upload. In cloudformation, it'd look like something as below but you can add that over console as well if not done.

  rLambdaInvokePermission:
      Type: 'AWS::Lambda::Permission'
      Properties:
        FunctionName: !Ref myLambdaFunction
       Action: 'lambda:InvokeFunction'
       Principal: events.amazonaws.com
       SourceArn: !GetAtt rEventRule.Arn

Hope you find this useful.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content