Reputation: 511
Get ARN of Lambda role in bucket policy
I am trying to write a bucket policy denying all access to my bucket except my specific Lambda. I am trying to accomplish this by whitelisting the Lambda's role and assumed role ARN as shown in the policy below.
The reason for this is because I am working under a corporate AWS account where federated users assume either a "power user" or "read only" role. The "power user" role has full access to s3. I do not manage the permissions of these roles, and I need to prevent other corporate users who assume the "power user" role from accessing my bucket.
I am trying to get the role ARN using the AWS:SourceArn global condition context key, but it seems to be that AWS:SourceArn is not working as I expect:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WhitelistRegistryAPILambdaRole",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{BucketName}",
"arn:aws:s3:::{BucketName}/*"
],
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::{AccountId}:role/{LambdaRoleName}"
}
}
},
{
"Sid": "WhitelistRegistryAPILambdaAssumedRole",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{BucketName}",
"arn:aws:s3:::{BucketName}/*"
],
"Condition": {
"ArnLike": {
"AWS:SourceARN": "arn:aws:sts::{AccountId}:assumed-role/{LambdaRoleName}/{LambdaFunctionName}"
}
}
}
]}
The docs say that the aws:SourceArn global condition context key is not available for all services. Am I approaching this correctly?
Upvotes: 0
Views: 847
Answers (1)
Reputation: 81414
You are doing it backwards.
Unless you make a bucket public nobody has access to the contents.
Create a role for Lambda giving it permissions to access the bucket. Assign the role to Lambda.
Now only Lambda can access the bucket. If another service or user needs access to the bucket, create an IAM policy or role granting that user or service access.
Upvotes: 2
Related Questions
- ARN of the role that is automatically created with an Lambda function
- Variable in AWS IAM role to grant permissions to Lambda function
- AWS IAM role permissions in Lambda is not able to find the Amazon S3 url
- How to get the ARN Value of IAM Role in AWS
- What is the ARN of an assumed role assumed by a Lambda function?
- How to get the current execution role in a lambda?
- Get information about about the role that creates an AWS resource
- Lambda function to write into S3 - IAM policy to access S3
- Running an AWS Lambda function Under Different IAM Roles
- S3 Bucket Policy and IAM Role Conflicting