使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Lambda function cannot access S3 bucket, even after granting IAM role/policy

0

I have followed the instructions for creating an AWS Lambda function and have created an IAM user role for an AWS Lambda function to access an S3 bucket. I have allowed both the putObject and getObject actions for the role, and specified which bucket I wanted Lambda to access within the creation page for the policy. Additionally, I unchecked the "Block all public access" button while creating my S3 bucket. However, whenever I try using boto3:

s3 = boto3.client('s3')
bucket_name = 'example_bucketname'
object_key = 'data.json' 

 try:
        response = s3.get_object(Bucket=bucket_name, Key=object_key)
        cached_data = response['Body'].read().decode('utf-8')
        return json.loads(cached_data)
    except s3.exceptions.NoSuchKey:
        return None

I receive an error stating "An error occurred (AccessDenied) when calling the GetObject operation: Access Denied" when testing my lambda function. Am I forgetting anything?

Any help will be much appreciated. Thank you! (Additionally, I have already looked at the guide posted by AWS OFFICIAL and I have also watched the YouTube video created by Francisco on the AWS OFFICIAL YouTube channel).

主題
儲存空間無伺服器運算安全性、身分識別與合規
標籤
Amazon Simple Storage ServiceAWS LambdaAWS Identity and Access Management
語言
English
athariandre
已提問 2 個月前檢視次數 193 次
3 個答案
1
已接受的答案

Something that will help you get more information is adding ListBucket permission to your function's IAM Role. I see you're trying to trap s3.exceptions.NoSuchKey but without ListBucket permission you'll never get this. Instead, if your object_key is wrong then you'll get "access denied".

Note that ListBucket applies to the bucket, not objects, so should be allowed for the "example_bucketname" resource, whereas GetObject & PutObject should be allowed for "example_bucketname/*".

If you're still having trouble please post your IAM policy here.

專家
skinsman
已回答 2 個月前
profile picture
專家
Oleksii Bebych
已審閱 2 個月前
1

The IAM Policy Simulator can be utilized to verify that your service roles possess the required permissions to execute the desired action.

IAM Policy Simulator

If the simulator encounters a failure when applying the service role to the resources, it indicates that your policy is improperly configured and requires correction.

profile picture
專家
Osvaldo Marte
已回答 2 個月前
0

Hello.

Are the S3 bucket name and object key correct?
Did you set the IAM policy for the correct IAM role?
You can check the Lambda IAM role as shown in the image below.
a

Also, since you are accessing with IAM, there is no need to uncheck "Block all public access".

profile picture
專家
Riku_Kobayashi
已回答 2 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容