By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Anyone got S3 Object Lambda to work?

0

Any tutorial seems to gloss over policy documents, and the defaults don't work. Policy editor is hopeless as I have no idea what items should be selected, and all I get is an Invalid policy error.

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
AWS-User-6394038
asked 2 years ago330 views
1 Answer
1

Hello,

Basically to use S3 object lambda, you need to create S3 bucket, then create a S3 access point and finally create S3 Lambda object access point[[1]].

In order to setup the permission (bucket policy, IAM policies..etc), please refer to this link for more details :

Configuring IAM policies for Object Lambda access points - https://docs.aws.amazon.com/AmazonS3/latest/userguide/olap-policies.html

Now, coming to your question about policy editor within IAM or S3 service. To create IAM policies/bucket policy you can use the AWS policy generator tool : https://awspolicygen.s3.amazonaws.com/policygen.html

With policy generator tool, you can create IAM policy or S3 bucket policy based on your use case, however you need to know which actions (permissions) that you would like to allow/deny, you need to know as well the requester (IAM user/role, AWS account ..etc) that need to have access to your resource[[2]].

That said, in the policy generator tool the Principal refer to the requester, for example if you would like to allow an IAM role to access S3, you need to put the IAM role ARN in the Principal textbox.

Next, you need to configure which resources (bucket, objects ..etc) the requester should access, to do so, you can add the ARN of your resource in the "Amazon Resource Name (ARN)" text box.

After providing the principal as well as the resources, you can also add condition (this is optional), you might need to check the IAM condition documentation for further information about the use case of each condition :

IAM JSON policy elements: Condition - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html

IAM JSON policy elements: Condition operators - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

Actions, resources, and condition keys for Amazon S3 - https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html

Once all the information are provided, you can click "Add statment", if your policy has only one statement then you can click "Generate Policy", if you need to add more statement, you need to provide again the Principal, the Actions, the Resources, The Conditions, if any and then click "Add statment", once you provide all the statements, you can click "Generate Policy".

The next step is to test the generated policy, please test any policy in your test environement before moving to your production, once you confirm that the policy is working as expected, you can safely using it in your production environement.

One more thing, if you still need help with the S3 Object Lambda configuration, I would like to suggest opening support case with S3 support team for further investigation.

References

[[1]] Configuring IAM policies for Object Lambda access points - https://docs.aws.amazon.com/AmazonS3/latest/userguide/olap-policies.html [[2]] IAM JSON policy elements reference - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html

AWS
AbdallahAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content