By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Docker container image Lambda setting S3 permissions

0

Hi, I have a docker container image lambda that needs to download a file from S3 and process it, next part of the code:

s3 = boto3.client('s3', region_name="us-east-2")
s3.download_file(Bucket=bucket, Key=key_file, Filename=local_file)
# --> Process the file <-- #

I create a role and a trust policy, and attach them to the lambda:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

And Im getting the error:

[ERROR] ClientError: An error occurred (400) when calling the HeadObject operation: Bad Request

But, when i add an user credentials directly in the code (like next line of code), it works well.

 s3 = boto3.client('s3', region_name="us-east-2", aws_access_key_id=os.environ.get('AWS_ACCESS_KEY_ID'), aws_secret_access_key=os.environ.get('AWS_SECRET_ACCESS_KEY'))

Is there I way to solve this issue without including credenciatials to code?

Topics
ServerlessComputeContainers
Tags
ServerlessAWS LambdaContainers
Language
English
ilfoxo
asked 9 months ago520 views
1 Answer
0

Hi, everything seems correct for what you detailled. But, one last piece is missing: did you assign the role that you created as execution role of the lambda when you created it ?

See https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html

On aws lambda get-function --function-name my-function do you see Role: with ARN of your role as below?

{
    "Concurrency": {
        "ReservedConcurrentExecutions": 100
    },
    "Code": {
        "RepositoryType": "S3",
        "Location": "https://awslambda-us-west-2-tasks.s3.us-west-2.amazonaws.com/snapshots/123456789012/my-function..."
    },
    "Configuration": {
        "TracingConfig": {
            "Mode": "PassThrough"
        },
        "Version": "$LATEST",
        "CodeSha256": "5tT2qgzYUHoqwR616pZ2dpkn/0J1FrzJmlKidWaaCgk=",
        "FunctionName": "my-function",
        "VpcConfig": {
            "SubnetIds": [],
            "VpcId": "",
            "SecurityGroupIds": []
        },
        "MemorySize": 128,
        "RevisionId": "28f0fb31-5c5c-43d3-8955-03e76c5c1075",
        "CodeSize": 304,
        "FunctionArn": "arn:aws:lambda:us-west-2:123456789012:function:my-function",
        "Handler": "index.handler",
        "Role": "arn:aws:iam::123456789012:role/service-role/helloWorldPython-role-uy3l9qyq",
        "Timeout": 3,
        "LastModified": "2019-09-24T18:20:35.054+0000",
        "Runtime": "nodejs10.x",
        "Description": ""
    }
}

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 9 months ago
  • ilfoxo
    9 months ago

    Hi Didier, Yes. The role is assigned to the lambda:

    aws lambda get-function --function-name Html2PdfFunction --profile generic-dev

...

 "FunctionName": "Html2PdfFunction",
        "FunctionArn": "arn:aws:lambda:us-east-2:XXXXXXXXXXX:function:Html2PdfFunction",
        "Role": "arn:aws:iam::XXXXXXXXXX:role/Html2Pdf-Html2PdfFunctionRole-T6K1VD2OYKDC",
        "CodeSize": 0,
        "Description": "",
        "Timeout": 300,

...

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content