Hello,
I am in process of creating the CF scripts, to create the services for Lambda Layers, Lambda Functions, I have created the IAM Role, Policies which can be referenced while creating the Lambda Function. I have uploaded the code(zip files) into S3 bucket, which should be retireved while creating the Lambda Layer/Functions. I get below error while executing the Cloud Formation script. Can you please help what I am doing wrong here?
Error:
Resource handler returned message: "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for efts-test-api/efts-test-opensearch-client-layer.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: c5afd1ea-6552-485a-a78f-b25e2d0753d1; Proxy: null)" (RequestToken: 0503ea69-ec31-8f72-f639-3f6e5a1e49b9, HandlerErrorCode: GeneralServiceException)
Cloud Formation YML script:
Parameters:
Environment:
Description: Which Environment would you like to deploy?
Type: String
Default: dev
AllowedValues:
- dev
SourceS3Bucket:
Description: What bucket has your Lambda Source Code?
Type: String
CommonLayerSourceS3Key:
Description: What is the Common Layer archive (zip) file name in the bucket?
Type: String
Default: efts-test-common-layer.zip
PDFToTextSourceS3Key:
Description: What is the PDFToText Layer archive (zip) file name in the bucket?
Type: String
Default: efts_test_pdftotext-layer.zip
OpenSearchClientSourceS3Key:
Description: What is the OpenSearch Client Layer archive (zip) file name in the bucket?
Type: String
Default: efts-test-opensearch-client-layer.zip
EFTSTestSubmissionSourceS3Key:
Description: What is the EFTS Test Submission Lambda Function archive (zip) file name in the bucket?
Type: String
Default: efts-test-submission-function.zip
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Environment Selection
Parameters:
- Environment
- Label:
default: Source Code
Parameters:
- SourceS3Bucket
- CommonLayerSourceS3Key
- PDFToTextSourceS3Key
- OpenSearchClientSourceS3Key
- Label:
default: VPC, Subnets and Security Groups
Parameters:
- VPCId
- SubnetIds
- SecurityGroupIds
- Label:
default: Reconciliation EC2 Instance
Parameters:
- InstanceType
- ImageId
- SSHKeyPairName
- SSHLocation
Mappings:
EnvironmentMap:
dev:
EFTSBucket: efts-test-api
CommonLayerName: efts-test-common-layer
PDFToTextLayerName: efts_test_pdftotext-layer
OpenSearchClientLayerName: efts-test-opensearch-client-layer
EFTSTestSubmissionFunctionName: efts-test-submission-lambda-function
Resources:
EFTSBucket:
Type: AWS::S3::Bucket
Properties:
BucketName:
Fn::FindInMap:
- EnvironmentMap
- Ref: Environment
- EFTSBucket
EFTSTestLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Description: EFTS Test Role with permission to various resources
RoleName:
Fn::Sub:
- lambda_${Function}role
- Function:
Fn::FindInMap:
- EnvironmentMap
- Ref: Environment
- EFTSTestSubmissionFunctionName
EFTSTestLambdaPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- kms:Decrypt
Resource: ""
- Effect: Allow
Action: logs:CreateLogGroup
Resource:
- Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- Fn::Sub:
- arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${Function}:*
- Function:
Fn::FindInMap:
- EnvironmentMap
- Ref: Environment
- EFTSTestSubmissionFunctionName
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- Fn::Sub:
- arn:aws:s3:::${Bucket}
- Bucket:
Fn::FindInMap:
- EnvironmentMap
- Ref: Environment
- EFTSBucket
- Effect: Allow
Action: s3:Object
Resource:
- Fn::Sub:
- arn:aws:s3:::${Bucket}/
- Bucket:
Fn::FindInMap:
- EnvironmentMap
- Ref: Environment
- EFTSBucket
PolicyName:
Fn::Sub:
- lambda${Function}_policy
- Function:
Fn::FindInMap:
- EnvironmentMap
- Ref: Environment
- EFTSTestSubmissionFunctionName
Roles:
- Ref: EFTSTestLambdaRole
CommonLayer:
Type: AWS::Lambda::LayerVersion
Properties:
CompatibleRuntimes:
- nodejs20.x
Content:
S3Bucket:
Ref: SourceS3Bucket
S3Key:
Ref: CommonLayerSourceS3Key
Description: EFTS Test Common Layer
LayerName:
Fn::FindInMap:
- EnvironmentMap
- Ref: Environment
- CommonLayerName
PDFToTextLayer:
Type: AWS::Lambda::LayerVersion
Properties:
CompatibleRuntimes:
- nodejs20.x
Content:
S3Bucket:
Ref: SourceS3Bucket
S3Key:
Ref: PDFToTextSourceS3Key
Description: EFTS Test PDFToText Layer
LayerName:
Fn::FindInMap:
- EnvironmentMap
- Ref: Environment
- PDFToTextLayerName
OpenSearchClientLayer:
Type: AWS::Lambda::LayerVersion
Properties:
CompatibleRuntimes:
- nodejs20.x
Content:
S3Bucket:
Ref: SourceS3Bucket
S3Key:
Ref: OpenSearchClientSourceS3Key
Description: EFTS Test OpenSearch Client Layer
LayerName:
Fn::FindInMap:
- EnvironmentMap
- Ref: Environment
- OpenSearchClientLayerName
EFTTestLambdaFunction:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Ref: SourceS3Bucket
S3Key:
Ref: EFTSTestSubmissionSourceS3Key
Description: Responds to EFTS Submissions Requests
FunctionName:
Fn::FindInMap:
- EnvironmentMap
- Ref: Environment
- EFTSTestSubmissionFunctionName
Handler: index.handler
Layers:
- Ref: CommonLayer
MemorySize: 128
ReservedConcurrentExecutions: 100
Role:
Fn::GetAtt:
- EFTSTestLambdaRole
- Arn
Runtime: nodejs20.x
Timeout: 10
No, if you have specified "*", instead of prefix, that should work. But can you make sure, that you as an IAM user/role(if using role), does have the read permissions to this s3 prefix as it's not complaining about lambda role/policy but your permissions, with which this cloudformation template is running. I'd check if I can download/read this file by going to s3 console, if not then consider adding GetObject permissions to your IAM user/role. Let me know what you find, happy to assist further.