Lambda: Access denied for Put Object Operation despite S3FullAccess

0

I have a Lambda function that pulls data from an S3 bucket, transforms it and puts it into another bucket. I gave it S3FullAccess, which should include all operations. Loading data is no problem, however when I try to store the transformed data in a new bucket (or even a different folder within the same bucket), the following error message occurs:

"An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"

The following lines both throw the error:

awswrangler.s3.to_csv(joined_df, 's3://buckets/other-bucket/data.csv', index=False)

awswrangler.s3.to_csv(joined_df, 's3://buckets/my-bucket/other-subfolder/data.csv', index=False)

This is, again, despite the Lambda having AmazonS3FullAccess. Does anyone know what is wrong here?

1 Answer
1

Hi THere

If the IAM user has the correct permissions to upload to the bucket, then check the following policies for settings that are preventing the uploads:

IAM user permission to s3:PutObjectAcl
Conditions in the bucket policy
Access allowed by an Amazon Virtual Private Cloud (Amazon VPC) endpoint policy
AWS KMS encryption

See https://aws.amazon.com/premiumsupport/knowledge-center/s3-403-upload-bucket/

profile picture
EXPERT
Matt-B
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Thanks for this, I went through these policies but none seem to apply in my case. I specifically created a new policy and role now with "s3:PutObjectAcl" permission, added it to a new role & gave it access through the bucket policy.

    There are no conditions in the bucket policy, VPCs play no role and the bucket is not KMS encrypted. Is there any other possible reason?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions