By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Object lambda access point policy, policy document malformed

0

Hi,

Despite olap is declared as "optional", when saving it I've got an error message "invalid policy". Then I edit it and from there I'm struggling to define the following:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Principal": {
				"AWS": "*account-ARN*"
			},
			"Effect": "Allow",
			"Action": [
				"s3-object-lambda:*"
			],
			"Resource": [
				"*bucketAccesspoint-ARN*"
			]
		}
	]
}

In the underneath status bar: Security = 0, errors = 0, warnings = 0, suggestions = 0 - So should be fine.

However, when saving the policy I have an error "Invalid Object Lambda Access Point policy -> API response -> Policy document is malformed"

What am I missing?

Thx in advance for any suggestion

Topics
StorageServerlessCompute
Tags
Amazon Simple Storage ServiceAWS Lambda
Language
English
AWS-User-3194526
asked 2 years ago556 views
2 Answers
0

Hi,

I understand that you are encountering a MalformedPolicyDocument error. You get the "MalformedPolicyDocument" error when the policy document isn't syntactically or semantically correct, as per the grammar of the policy language[1]. Refer to the resources posted below.

To solve this error you can modify your policies to the below format:

{

"Version": "2012-10-17",

"Statement": [

	{

		"Sid": "Statement1",

		"Principal": {

			"AWS": "*account-ARN*"

		},

		"Effect": "Allow",

		"Action": [

			"s3:*"

		],

		"Resource": [

                             arn:aws:s3:::xxxxxxxxxxxxxxx/*

		]

	}

]

}

Resources:-

[1]https://docs.aws.amazon.com/AmazonS3/latest/userguide/olap-policies.html

Asisipho
answered 2 years ago
0

In my understanding, olap policy must point, resource-wise, to an access-point, action-wise to object-lambda action - not a directly to a bucket nor s3 actions.

Any, attempting to change action to what you suggest raises the error "Unsupported Action In Policy: The action s3: is not supported for the resource-based policy attached to resource type S3 Bucket.*" while the resource raises "Unsupported Resource ARN In Policy: The resource ARN is not supported for the resource-based policy attached to resource type S3 Object Lambda Access Point.".

So, it doesn't to be solving the issue...

AWS-User-3194526
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content