CODEWITHSUNDEEP
amazon-web-servicesamazon-s3aws-lambdaserverless-framework
Joost Schuur
Joost Schuur

Reputation: 4482

Trying to give my lambda putObject access to an existing S3 bucket via serverless

I am stuck trying to assign permissions to an S3 bucket for my lambda when using the Serverless framework.

I have a single lamba function that ultimately writes a JSON config file to an S3 bucket that I'd like to serve via the web to an application. I initially set up an S3 bucket separately (not in serverless.yml), and my lamba successfully creates the file in the correct S3 bucket, but I get an 'internal server error' when I deploy it to AWS. I assume this is because the permissions set up on deploy don't grant it write access to the bucket.

I am a bit at odds how to do this. I have read this thread e.g., and tried supplementing my serverless.yml with this:

provider:
  name: aws
  runtime: nodejs8.10
  stage: dev
  region: eu-west-1
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:PutObject"
      Resource:
        Fn::Join:
          - ""
          - - "arn:aws:s3:::"
            - Ref: arn:aws:s3:::com.joostschuur.quizdata

In this case, arn:aws:s3:::com.joostschuur.quizdata is the manually created S3 bucket that I set up and would like my deployed lambda to have write access to. However, this results in an error on deploy:

The CloudFormation template is invalid: Template format error: Unresolved resource dependencies [arn:aws:s3:::com.joostschuur.quizdata] in the Resources block of the template

If there is a way to put all the S3 setup into serverless.yml (i.e. specify the bucket, specify that files in it should be accessible via the web etc), I'm happy to do it that way too.

Suggestions?

Upvotes: 4

Views: 2442

Answers (1)

Yunier Saborit Ramírez
Yunier Saborit Ramírez

Reputation: 311

In iamRoleStatements specification there are and error, it should be:

 iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:PutObject"
      Resource: arn:aws:s3:::com.joostschuur.quizdata/*

Or

 iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:PutObject"
      Resource:
        Fn::Join:
          - ":"
          - - "arn:aws:s3::"
            - "com.joostschuur.quizdata/*"

This error:

The CloudFormation template is invalid: Template format error: Unresolved resource dependencies [arn:aws:s3:::com.joostschuur.quizdata] in the Resources block of the template

is related to:

    - Ref: arn:aws:s3:::com.joostschuur.quizdata

Because this is not a reference to a parameter or a variable.

Enjoy!

Upvotes: 6

Related Questions