CODEWITHSUNDEEP
amazon-web-servicesamazon-s3aws-lambda
Aleksey Bilogur
Aleksey Bilogur

Reputation: 3846

Difficulty defining a working AWS role

I am trying to construct an AWS Lambda function that downloads and writes some data into an S3 bucket. The problem I am running into is that the write operation into S3 itself raises a PermissionDenied error.

This in turn implies that I am not writing the role correctly. However, I'm not sure what I'm doing wrong.

I have five buckets, all some variation on mta-gtfs-N. I've assigned the following Role to the Lambda function:

{   "Version": "2012-10-17",   "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "s3:*"
      ],
      "Resource": [ 
"arn:aws:s3:::mta-gtfs-1", 
"arn:aws:s3:::mta-gtfs-21", 
"arn:aws:s3:::mta-gtfs-11", 
"arn:aws:s3:::mta-gtfs-16", 
"arn:aws:s3:::mta-gtfs-2" 
]
    }   
] }

Can anyone spot my error?

Upvotes: 1

Views: 35

Answers (2)

Khalid T.
Khalid T.

Reputation: 10567

Your policy should be re-written as:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::mta-gtfs-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": [
        "arn:aws:s3:::mta-gtfs-*/*"
      ]
    }
  ]
}

Upvotes: 1

user818510
user818510

Reputation: 3652

You need to add a /* at the end of your resource string to give access to operations inside the bucket. Example: arn:aws:s3:::mta-gtfs-1/*

So your Resource array should be 

"Resource": [ 
  "arn:aws:s3:::mta-gtfs-1/*", 
  "arn:aws:s3:::mta-gtfs-21/*", 
  "arn:aws:s3:::mta-gtfs-11/*", 
  "arn:aws:s3:::mta-gtfs-16/*", 
  "arn:aws:s3:::mta-gtfs-2/*" 
]

Your policy with the above Resource section would allow operations like Get, Put Object. If you want to do bucket level operation like S3:ListBucket, you need to omit the /* and use the resource names the way you are currently using but for operations like S3:*Object you need the /*(it can also be a "folder" prefix like <Bucket>/home/*)

Here is a sample policy for test bucket. Note the usage of /*

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::test"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::test/*"]
    }
  ]
}

Upvotes: 3

Related Questions