By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda role assuming a role in same account to list bucket in different account gives NoSuchBucket

0

Hi

I have lambda role in account A and another role s3Role in same account A (this is required by usecase). s3Role has access to read, list and put permissions for s3 bucket in account B. Account B s3 bucket policy allows s3Role to read, list and put.

In lambda java code, I'm using AWSSecurityTokenServiceClient to create as sts client with DefaultAWSCredentialsProviderChain and region (same as lambda region) and assume the s3Role. I get valid response from assume role.

Using the credentials from assume role I create the s3 client with AWSStaticCredentialsProvider and in same regions as the s3 bucket and call the listObjectsV2 api. I get NoSuchBuket exception.

AssumeRoleRequest assumeRoleRequest =
          new AssumeRoleRequest()
              .withRoleArn(batchJobRole)
              .withRoleSessionName("AssumedRoleSession");

      AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClient.builder()
              .withCredentials(new DefaultAWSCredentialsProviderChain())
              .withRegion(Regions.US_WEST_2)
              .build();

      AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest);
      String assumedRoleArn = assumeRoleResult.getAssumedRoleUser().getArn();

      log.info("Assumed role response: {} and user: {}", assumeRoleResult, assumedRoleArn);

      // Use the assumed role to access S3
      BasicSessionCredentials awsCredentials =
          new BasicSessionCredentials(
              assumeRoleResult.getCredentials().getAccessKeyId(),
              assumeRoleResult.getCredentials().getSecretAccessKey(),
              assumeRoleResult.getCredentials().getSessionToken());

      s3Client =
          AmazonS3ClientBuilder.standard()
              .withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
              .withRegion(Regions.US_WEST_2)
              .build();


      ListObjectsV2Request req = new ListObjectsV2Request().withBucketName("source-buskt-name-us-west-2");
      ListObjectsV2Result listing = s3Client.listObjectsV2(req);

      List<S3ObjectSummary> getListObjects = listing.getObjectSummaries();

      for (S3ObjectSummary objSummary : getListObjects) {
        log.info("object key: {}", objSummary.getKey());
        s3ObjectsWithMeta.add(objSummary);
      }
Topics
StorageServerlessComputeSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS LambdaAWS Identity and Access ManagementIAM Policies
Language
English
AWS
AWS-User-7331667
asked 2 months ago101 views
1 Answer
0

Hey, there! The most common reason for a NoSuchBucket error is that the bucket name you're trying to access is incorrect or the bucket does not exist in the region you're specifying.

Here is some possible reason:

  1. Incorrect Bucket Name or Region
  2. Permission or Policy Issue
  3. Assumed Role Credentials Issue

To ensure the cross-account role setup is correct and allows for the intended actions, please follow these guidelines:

  1. Roles Configuration Across Accounts:

    • You need to have two roles: one in Account A (Lambda execution role) and another in Account B (s3Role).

  2. Role in Account A Configuration:

    • The role in Account A should have permissions to assume another role. You must specify the ARN of the s3Role in Account B as a trusted entity in the trust policy of this role in Account A.

  3. Role in Account B Configuration (s3Role):

    • In Account B, s3Role must be configured with permissions to perform read, list, and put operations on the S3 bucket.
    • The trust policy of s3Role in Account B should include the ARN of the role in Account A, establishing trust and allowing the role in Account A to assume s3Role.

  4. Permission Policy Details:

    • Ensure that the permission policies attached to both roles are correctly defined to facilitate the cross-account access as intended.

I will provide an example to facilitate the diagnosis of the issue:

Account A (Lambda Execution Role)

Trusted Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "Service": "lambda.amazonaws.com" },
      "Action": "sts:AssumeRole"
    }
  ]
}

Permission Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::ACCOUNT-B-ID:role/s3Role"
    }
  ]
}

Account B (s3Role for Accessing S3)

Trusted Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::ACCOUNT-A-ID:role/LambdaExecutionRole" },
      "Action": "sts:AssumeRole"
    }
  ]
}

Permission Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::YourBucketName",
        "arn:aws:s3:::YourBucketName/*"
      ]
    }
  ]
}

Please let me know if this help you to identify the issue, I will be waiting for any comment from you.

profile picture
EXPERT
Osvaldo Marte
answered 2 months ago
profile picture
EXPERT
MaxCloud
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content