By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS CF: Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException

0

Hello,

I am in process of creating the CF scripts, to create the services for Lambda Layers, Lambda Functions, I have created the IAM Role, Policies which can be referenced while creating the Lambda Function. I have uploaded the code(zip files) into S3 bucket, which should be retireved while creating the Lambda Layer/Functions. I get below error while executing the Cloud Formation script. Can you please help what I am doing wrong here?

Error: Resource handler returned message: "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for efts-test-api/efts-test-opensearch-client-layer.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: c5afd1ea-6552-485a-a78f-b25e2d0753d1; Proxy: null)" (RequestToken: 0503ea69-ec31-8f72-f639-3f6e5a1e49b9, HandlerErrorCode: GeneralServiceException)

Cloud Formation YML script:

Parameters: Environment: Description: Which Environment would you like to deploy? Type: String Default: dev AllowedValues: - dev SourceS3Bucket: Description: What bucket has your Lambda Source Code? Type: String CommonLayerSourceS3Key: Description: What is the Common Layer archive (zip) file name in the bucket? Type: String Default: efts-test-common-layer.zip PDFToTextSourceS3Key: Description: What is the PDFToText Layer archive (zip) file name in the bucket? Type: String Default: efts_test_pdftotext-layer.zip OpenSearchClientSourceS3Key: Description: What is the OpenSearch Client Layer archive (zip) file name in the bucket? Type: String Default: efts-test-opensearch-client-layer.zip EFTSTestSubmissionSourceS3Key: Description: What is the EFTS Test Submission Lambda Function archive (zip) file name in the bucket? Type: String Default: efts-test-submission-function.zip Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Environment Selection Parameters: - Environment - Label: default: Source Code Parameters: - SourceS3Bucket - CommonLayerSourceS3Key - PDFToTextSourceS3Key - OpenSearchClientSourceS3Key - Label: default: VPC, Subnets and Security Groups Parameters: - VPCId - SubnetIds - SecurityGroupIds - Label: default: Reconciliation EC2 Instance Parameters: - InstanceType - ImageId - SSHKeyPairName - SSHLocation Mappings: EnvironmentMap: dev: EFTSBucket: efts-test-api
CommonLayerName: efts-test-common-layer PDFToTextLayerName: efts_test_pdftotext-layer OpenSearchClientLayerName: efts-test-opensearch-client-layer EFTSTestSubmissionFunctionName: efts-test-submission-lambda-function
Resources: EFTSBucket: Type: AWS::S3::Bucket Properties: BucketName: Fn::FindInMap: - EnvironmentMap - Ref: Environment - EFTSBucket EFTSTestLambdaRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole Description: EFTS Test Role with permission to various resources RoleName: Fn::Sub: - lambda_${Function}role - Function: Fn::FindInMap: - EnvironmentMap - Ref: Environment - EFTSTestSubmissionFunctionName EFTSTestLambdaPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - kms:Decrypt Resource: "" - Effect: Allow Action: logs:CreateLogGroup Resource: - Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}: - Effect: Allow Action: - logs:CreateLogStream - logs:PutLogEvents Resource: - Fn::Sub: - arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${Function}:* - Function: Fn::FindInMap: - EnvironmentMap - Ref: Environment - EFTSTestSubmissionFunctionName - Effect: Allow Action: - s3:ListBucket Resource: - Fn::Sub: - arn:aws:s3:::${Bucket} - Bucket: Fn::FindInMap: - EnvironmentMap - Ref: Environment - EFTSBucket - Effect: Allow Action: s3:Object Resource: - Fn::Sub: - arn:aws:s3:::${Bucket}/ - Bucket: Fn::FindInMap: - EnvironmentMap - Ref: Environment - EFTSBucket PolicyName: Fn::Sub: - lambda${Function}_policy - Function: Fn::FindInMap: - EnvironmentMap - Ref: Environment - EFTSTestSubmissionFunctionName Roles: - Ref: EFTSTestLambdaRole
CommonLayer: Type: AWS::Lambda::LayerVersion Properties: CompatibleRuntimes: - nodejs20.x Content: S3Bucket: Ref: SourceS3Bucket S3Key: Ref: CommonLayerSourceS3Key Description: EFTS Test Common Layer LayerName: Fn::FindInMap: - EnvironmentMap - Ref: Environment - CommonLayerName PDFToTextLayer: Type: AWS::Lambda::LayerVersion Properties: CompatibleRuntimes: - nodejs20.x Content: S3Bucket: Ref: SourceS3Bucket S3Key: Ref: PDFToTextSourceS3Key Description: EFTS Test PDFToText Layer LayerName: Fn::FindInMap: - EnvironmentMap - Ref: Environment - PDFToTextLayerName
OpenSearchClientLayer: Type: AWS::Lambda::LayerVersion Properties: CompatibleRuntimes: - nodejs20.x Content: S3Bucket: Ref: SourceS3Bucket S3Key: Ref: OpenSearchClientSourceS3Key Description: EFTS Test OpenSearch Client Layer LayerName: Fn::FindInMap: - EnvironmentMap - Ref: Environment - OpenSearchClientLayerName EFTTestLambdaFunction: Type: AWS::Lambda::Function Properties: Code: S3Bucket: Ref: SourceS3Bucket S3Key: Ref: EFTSTestSubmissionSourceS3Key Description: Responds to EFTS Submissions Requests FunctionName: Fn::FindInMap: - EnvironmentMap - Ref: Environment - EFTSTestSubmissionFunctionName Handler: index.handler Layers: - Ref: CommonLayer MemorySize: 128 ReservedConcurrentExecutions: 100 Role: Fn::GetAtt: - EFTSTestLambdaRole - Arn Runtime: nodejs20.x Timeout: 10

Topics
ServerlessComputeManagement & Governance
Tags
AWS LambdaAWS CloudFormation
Language
English
SrikanthReddy
asked 4 months ago225 views
2 Answers
2
Accepted Answer

It seems like the your IAM user/role, with which you have logged in, doesn't have permission on efts-test-api folder in the bucket where file efts-test-opensearch-client-layer.zip exists. Add GetObject permission to your IAM user/role policy and then try again. If you are using an IAM role in cloudformation, then make sure that IAM role does have GetObject permission on this location.

profile pictureAWS
EXPERT
secondabhi_aws
answered 4 months ago
0

Hi @secondabhi_aws,

Thanks for your response, I have make sure that I have the GetObject permission on the S3 bucket as you can see below, but I still get the same error. Do I have to explicitly mention the full location of S3 bucket? I have also make sure that I don't have any permissions setup on the S3 bucket.

EFTSBucketExt: efts-test-api

IAM Policy: EFTSTestLambdaPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:ListBucket Resource: - Fn::Sub: - arn:aws:s3:::${Bucket}
- Bucket: Fn::FindInMap: - EnvironmentMap - Ref: Environment - EFTSBucketExt - Effect: Allow Action: - s3:GetObject - s3:PutObject Resource: - Fn::Sub: - arn:aws:s3:::${Bucket}/* - Bucket: Fn::FindInMap: - EnvironmentMap - Ref: Environment - EFTSBucketExt

SrikanthReddy
answered 4 months ago
  • secondabhi_aws EXPERT
    4 months ago

    No, if you have specified "*", instead of prefix, that should work. But can you make sure, that you as an IAM user/role(if using role), does have the read permissions to this s3 prefix as it's not complaining about lambda role/policy but your permissions, with which this cloudformation template is running. I'd check if I can download/read this file by going to s3 console, if not then consider adding GetObject permissions to your IAM user/role. Let me know what you find, happy to assist further.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content