Jed
Reputation: 512
403 from S3 despite allowing "s3:GetObject" action
I'm using Serverless to deploy my Lambda functions to AWS, one of which reads S3 objects. I have these permissions set up in my serverless.yml file:
iamRoleStatements:
- Effect: Allow
Action:
- s3:ListBucket
- s3:GetObject
Resource: "arn:aws:s3:::myBucket"
However, after deploying the API, when I try to hit the endpoint Serverless gives me, I get a 403. I also went into IAM in the AWS console to check the lambdaRole for the applicable region and for S3, I see an "Access Level" of "Limited: List". My understanding is that I should see "Read" here as well based on the actions I am allowing.
Can anyone point me in the direction of what I might be missing?
Upvotes: 2
Views: 91
Answers (1)
jarmod
Reputation: 78793
The GetObject action operates on objects, not on buckets, so your policy is incorrect. Try the following:
iamRoleStatements:
- Effect: Allow
Action:
- s3:ListBucket
Resource: "arn:aws:s3:::myBucket"
- Effect: Allow
Action:
- s3:GetObject
Resource: "arn:aws:s3:::myBucket/*"
Upvotes: 4
Related Questions
- Amazon S3 bucket returning 403 Forbidden
- S3:HeadObject - returns 403 response
- AWS S3: Can't get non-owned objects from bucket with public access (through non authenticated means)
- AWS s3 GetObject operation: Access Denied for public bucket
- Amazon S3 - Returns 403 error instead of 404 despite GetObject allowance
- Why are items in my S3 bucket 403ing?
- AWS S3 GET Request with Query Parameters throws Forbidden (403) with SignatureDoesNotMatch
- Amazon S3: GetObject Request throwing an exception "Access denied" 403
- 403 when trying to view s3 files / images
- Amazon S3 configuration always returns 403 Forbidden