By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 buckets, S3 Object Lambda Access Point, and OLAP Policy - Receiving "NoSuchAccessPoint" On Deployment

0

The following text uses Pulumi code. I'm aware this is not a Pulumi forum, but I still decided to ask this question, maybe I'm missing something not related to Pulumi, but to AWS.

I'm writing a Pulumi program, where I have the following code:

const exampleBucketV2 = new aws.s3.BucketV2("example-bucket-v2", {});
const exampleAccessPoint = new aws.s3.AccessPoint("example-ap", {
    bucket: exampleBucketV2.id
});
const exampleObjectLambdaAccessPoint = new aws.s3control.ObjectLambdaAccessPoint(
    "example-olap",
    {
        configuration: {
            supportingAccessPoint: exampleAccessPoint.arn,
            transformationConfigurations: [
                {
                    actions: ["GetObject"],
                    contentTransformation: {
                        awsLambda: {
                            functionArn: getS3Object.output.arn
                        }
                    }
                }
            ]
        }
    }
);
const exampleObjectLambdaAccessPointPolicy =
    new aws.s3control.ObjectLambdaAccessPointPolicy(
        "example-olap-policy",
        {
            policy: exampleObjectLambdaAccessPoint.arn.apply(arn =>
                JSON.stringify({
                    Version: "2008-10-17",
                    Statement: [
                        {
                            Effect: "Allow",
                            Action: "s3-object-lambda:GetObject",
                            Principal: {
                                AWS: "xxx123abc"
                            },
                            Resource: arn
                        }
                    ]
                })
            )
        }
    );

As we can see, I'm creating a bucket, an AP and OLAP, and finally a OLAP policy.

When I deploy, the response I get from AWS is:

creating S3 Object Lambda Access Point (xxx123abc:example-olap-policy-0ae82c8) Policy: NoSuchAccessPoint: The specified accesspoint does not exist

So, basically, for some reason OLAP can't be found. But clearly, from the code, OLAP is created. Not sure if this is a bug somewhere in Pulumi/TF, but at this point, I'm out of ideas. Was banging my head against this for quite some time now. 😞

Is there some other technicality that I'm maybe missing here? The process and the code looks straightforward, but really can't get it to run.

Thank you!

Topics
ServerlessStorageCompute
Tags
ServerlessAmazon Simple Storage ServiceAWS Lambda
Language
English
profile picture
Adrian
asked 10 months ago295 views
2 Answers
0
Accepted Answer

Just wanted to report that, in the end, this was a Pulumi-related issue.

On their side, the name property of the OLAP is not a required parameter. This is wrong. The moment I added it, everything started working.

I reported this in their Slack, so hopefully they address this in the future.

profile picture
Adrian
answered 10 months ago
0

https://docs.aws.amazon.com/AmazonS3/latest/userguide/olap-use.html

The issue you're experiencing might be related to how AWS handles the creation of Object Lambda Access Points and their associated ARNs. The ARN for an Object Lambda Access Point begins with arn:aws::s3-object-lambda, not arn:aws::s3, which is used with other access points​.

You can find the ARN for your Object Lambda Access Point by using the AWS Management Console or the AWS CLI​-1111122223333 with your AWS account ID.

aws s3control list-access-points-for-object-lambda --account-id 111122223333

Review the command output to find the Object Lambda Access Point ARN that you want to use. The output of the previous command should look similar to the following example.

{
"ObjectLambdaAccessPointList": [
 {
 "Name": "my-object-lambda-ap",
 "ObjectLambdaAccessPointArn": "arn:aws:s3-object-lambda:us-east-1:111122223333:accesspoint/my-object-lambda-ap","pub_date":null
}
}​

An Object Lambda Access Point also has an alias name, which is created within the same namespace as an Amazon S3 bucket. This alias name is automatically generated and cannot be changed​Object Lambda Access Point name prefix-metadata--ol-s3

Note

The --ol-s3 suffix is reserved for Object Lambda Access Point alias names and can't be used for bucket or Object Lambda Access Point names. For more information about Amazon S3 bucket-naming rules, see Bucket naming rules. The following examples show the ARN and the Object Lambda Access Point alias for an Object Lambda Access Point named my-object-lambda-access-point:

* ARN – arn:aws:s3-object-lambda:region:account-id:accesspoint/my-object-lambda-access-point
* Object Lambda Access Point alias – my-object-lambda-acc-1a4n8yjrb3kda96f67zwrwiiuse1a--ol-s3

When you use an Object Lambda Access Point, you can use the Object Lambda Access Point alias name without requiring extensive code changes. When you delete an Object Lambda Access Point, the Object Lambda Access Point alias name becomes inactive and unprovisioned","pub_date":null}}​. You can find the alias for your Object Lambda Access Point using the AWS Management Console​oaicite:{"number":1,"metadata":{"title":"Using Amazon S3 Object Lambda Access Points - Amazon Simple Storage Service","url":"https://docs.aws.amazon.com/AmazonS3/latest/userguide/olap-use.html","text":"How to find the alias for your Object Lambda Access Point

To find the alias for your Object Lambda Access Point by using the console
  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ .
    1. In the left navigation pane, choose Object Lambda Access Points.
    1. For the Object Lambda Access Point that you want to use, copy the Object Lambda Access Point alias value.\n\nWhen you create an Object Lambda Access Point, Amazon S3 automatically generates an Object Lambda Access Point alias name, as shown in the following example command. To run this command, replace the user input placeholders with your own information. For information about how to create an Object Lambda Access Point by using the AWS CLI, see To create an Object Lambda Access Point by using the AWS CLI.
aws s3control create-access-point-for-object-lambda --account-id 111122223333 --name my-object-lambda-access-point --configuration file://my-olap-configuration.json
 {
 "ObjectLambdaAccessPointArn": "arn:aws:s3:region:111122223333:accesspoint/my-access-point",
 "Alias": {
 "Value": "my-object-lambda-acc-1a4n8yjrb3kda96f67zwrwiiuse1a--ol-s3",
 "Status": "READY"
 }
}

The generated Object Lambda Access Point alias name has two fields:

  • The Value field is the alias value of the Object Lambda Access Point.
  • The Status field is the status of the Object Lambda Access Point alias. If the status is PROVISIONING, Amazon S3 is provisioning the Object Lambda Access Point alias, and the alias is not yet ready for use","pub_date":null}}``​.

Please ensure that the ARNs and aliases are correctly referenced in your Pulumi code. If the issue persists, it could be due to some delay or latency in the AWS services, which might cause the Access Point to not be immediately available after creation. You might want to add some delay or implement a retry mechanism in your Pulumi code after the Access Point creation step.

Lastly, ensure that the Lambda function associated with your S3 Object Lambda Access Point has sufficient permissions to interact with the S3 bucket​2​.

Please note that the specific error message "NoSuchAccessPoint" is not directly addressed in the resources I found. I would recommend reaching out to AWS Support or the Pulumi community for more specific troubleshooting if the issue persists.

profile picture
EXPERT
Sedat Salman
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content