By using AWS re:Post, you agree to the Terms of Use
/Object lambda access point policy, policy document malformed/

Object lambda access point policy, policy document malformed

0

Hi,

Despite olap is declared as "optional", when saving it I've got an error message "invalid policy". Then I edit it and from there I'm struggling to define the following:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Principal": {
				"AWS": "*account-ARN*"
			},
			"Effect": "Allow",
			"Action": [
				"s3-object-lambda:*"
			],
			"Resource": [
				"*bucketAccesspoint-ARN*"
			]
		}
	]
}

In the underneath status bar: Security = 0, errors = 0, warnings = 0, suggestions = 0 - So should be fine.

However, when saving the policy I have an error "Invalid Object Lambda Access Point policy -> API response -> Policy document is malformed"

What am I missing?

Thx in advance for any suggestion

2 Answers
0

Hi,

I understand that you are encountering a MalformedPolicyDocument error. You get the "MalformedPolicyDocument" error when the policy document isn't syntactically or semantically correct, as per the grammar of the policy language[1]. Refer to the resources posted below.

To solve this error you can modify your policies to the below format:

{

"Version": "2012-10-17",

"Statement": [

	{

		"Sid": "Statement1",

		"Principal": {

			"AWS": "*account-ARN*"

		},

		"Effect": "Allow",

		"Action": [

			"s3:*"

		],

		"Resource": [

                             arn:aws:s3:::xxxxxxxxxxxxxxx/*

		]

	}

]

}

Resources:-

[1]https://docs.aws.amazon.com/AmazonS3/latest/userguide/olap-policies.html

answered 19 days ago
0

In my understanding, olap policy must point, resource-wise, to an access-point, action-wise to object-lambda action - not a directly to a bucket nor s3 actions.

Any, attempting to change action to what you suggest raises the error "Unsupported Action In Policy: The action s3: is not supported for the resource-based policy attached to resource type S3 Bucket.*" while the resource raises "Unsupported Resource ARN In Policy: The resource ARN is not supported for the resource-based policy attached to resource type S3 Object Lambda Access Point.".

So, it doesn't to be solving the issue...

answered 18 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions