aws-lambda tutorial fails with botocore.exceptions.ClientError: Forbidden

Question

I am following the aws lambda tutorial, currently at: https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html

• Created role 'christopher-lambda-test'
• Created bucket 'christopher-test-source'
  • Uploaded "happyface.jpg" to source bucket
• Created bucket 'christopher-test-resized'
• Installed Windows Subsystem for Linux using Ubuntu
• sudo apt install python3
• sudo apt install python3-pip
• sudo pip install virtualenv
• sudo apt install zip
• virtualenv ~/shrink_venv
• source ~/shrink_venv/bin/activate
• pip install Pillow
• pip install boto3
• cd $VIRTUAL_ENV/lib/python3.6/site-packages
• zip -r ~/CreateThumbnail.zip .
• cp /mnt/c/Git-Workspace//create_thumbnail.py
• ~/create_thumbnail.py
  • Not sure if how to use this particular zip program to get a file from a directory and put it in to root of zip
• cd ~
• zip -g CreateThumbnail.zip create_thumbnail.py

I did the next part in aws console, because I am not sure what the arguments were supposed to look like from the command line in the tutorial.

• Created a lambda function
• Code entry type - uploaded zip
• Runtime - python 3.6
• Handler - create_thumbnail.handler
• Timeout - 30 sec
• Execution role - Use existing - christopher-lambda-test
• Created a test event, according to the tutorial

The role shows:

Permissions Tab:

• AWSLambdaExecute policy
• Permissions boundry not set

Trust relationships:

• The identity provider(s) lambda.amazonaws.com
• No conditions

Tags: Blank

Access Advisor:

• Cloudwatch logs, AWSLambdaExecute
• Amazon S3, AWSLambdaExecute

The test event looks like this:

{
  "Records": [
    {
      "eventVersion": "2.0",
      "eventSource": "aws:s3",
      "awsRegion": "us-west-2",
      "eventTime": "1970-01-01T00:00:00.000Z",
      "eventName": "ObjectCreated:Put",
      "userIdentity": {
        "principalId": "AIDAJDPLRKLG7UEXAMPLE"
      },
      "requestParameters": {
        "sourceIPAddress": "127.0.0.1"
      },
      "responseElements": {
        "x-amz-request-id": "C3D13FE58DE4C810",
        "x-amz-id-2": "FMyUVURIY8/IgAtTv8xRjskZQpcIZ9KG4V5Wp6S7S/JRWeUWerMUE5JgHvANOjpD"
      },
      "s3": {
        "s3SchemaVersion": "1.0",
        "configurationId": "testConfigRule",
        "bucket": {
          "name": "christopher-test-source",
          "ownerIdentity": {
            "principalId": "A3NL1KOZZKExample"
          },
          "arn": "arn:aws:s3:::christopher-test-source"
        },
        "object": {
          "key": "HappyFace.jpg",
          "size": 1024,
          "eTag": "d41d8cd98f00b204e9800998ecf8427e",
          "versionId": "096fKKXTRTtl3on89fVO.nfljtsv6qko"
        }
      }
    }
  ]
}

The role has the AWSLambdaExecute policy and if I click the json tab, it shows the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

When I try to run it via the test button in the console, I get the following error:

START RequestId: 11528d5a-e9f3-4b53-aef8-9b5a5934cd63 Version: $LATEST
An error occurred (403) when calling the HeadObject operation: Forbidden: ClientError
Traceback (most recent call last):
  File "/var/task/create_thumbnail.py", line 22, in handler
    s3_client.download_file(bucket, key, download_path)
  File "/var/task/boto3/s3/inject.py", line 172, in download_file
    extra_args=ExtraArgs, callback=Callback)
  File "/var/task/boto3/s3/transfer.py", line 307, in download_file
    future.result()
  File "/var/task/s3transfer/futures.py", line 106, in result
    return self._coordinator.result()
  File "/var/task/s3transfer/futures.py", line 265, in result
    raise self._exception
  File "/var/task/s3transfer/tasks.py", line 255, in _main
    self._submit(transfer_future=transfer_future, **kwargs)
  File "/var/task/s3transfer/download.py", line 345, in _submit
    **transfer_future.meta.call_args.extra_args
  File "/var/task/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/task/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden

END RequestId: 11528d5a-e9f3-4b53-aef8-9b5a5934cd63
REPORT RequestId: 11528d5a-e9f3-4b53-aef8-9b5a5934cd63  Duration: 467.98 ms Billed Duration: 500 ms Memory Size: 128 MB Max Memory Used: 79 MB  Init Duration: 335.18 ms    
XRAY TraceId: 1-5d801e11-ab1b32529b00e590684dfe16   SegmentId: 316a1aa70e80ba67 Sampled: false  

I am pretty sure boto needs me to set my aws credentials, doesn't it? I am not sure how to do that in aws lambda. Or is this a different error?

Answer 1

You are using a role for executing lambda, which is the right way to do it. You don't need to use any credentials when you use AWS service to service communication and using service role is the correct way.

You have not shared your role definition but it seems that the role christopher-lambda-test does not have the the required permissions.