- Newest
- Most votes
- Most comments
The resource for creating log groups is incorrect. This will not allow your function to create the log group.
You have
Resource": "arn:aws:logs:us-east-1:<ACCOUNT_NUMBER>:"
It needs to be something like
Resource": "arn:aws:logs:us-east-1:<ACCOUNT_NUMBER>:log-group:*"
Also, is your Lambda Function VPC Attached?
Hi @Gary, Thanks for Answering Lambda did not attached to VPC. and I am not able to access the objects from private s3 bucket from lambda function.
What encryption do the objets have? Do you have ANY logs from Lambda?
For future reference: Editing the question and putting the details in there makes for a lot easier reading.
Your Lambda permission doesn't list any actions or resources for S3. Instead of
{
"Effect": "Allow",
"Action": "s3:",
"Resource": ""
}
try
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
although I'd say that using * for both of those is far too broad.
Relevant content
- asked a year ago
Is there an error message you can share? It'd also be handy to see the role permissions and the bucket policy.
Hi @Brettski Thanks for showing interest in this topic. NO ERRORS. From website I am not able to see images I am trying to access the objects from the private s3 bucket from nodejs code. this is the bucket policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<ACCOUNT_NUMBER>:role/service-role/my-website-hosting-lambda-role" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-bucket-123", "arn:aws:s3:::my-bucket-123/" ] } ] } Lambda execution policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "arn:aws:logs:us-east-1:<ACCOUNT_NUMBER>:" }, { "Effect": "Allow", "Action": "s3:", "Resource": "" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-east-1:<ACCOUNT_NUMBER>:log-group:/aws/lambda/my-website-hosting-lambda:*" ] } ] }