Reputation: 83
ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden
I'm creating an AWS Lambda Function that tries to download a file (s3.download_file) to a temp dir that I create using the tempfile library from Python (3.6). Then, I make some transformations to the file and I need to upload it (s3.upload_file) again. I'm confident about the life cycle from my temp dir, when the Lambda finish its job, the temp dir is going to destroy itself. The Lambda returns an error related to forbidden HeadObject operation. The exact error is:
"An error occurred (403) when calling the HeadObject operation: Forbidden"
How can I debug this error? I already checked several sources, some of them talk about adjusting policies, check permissions, but my question is, there is some step by step (that AWS in its documentation doesn't have), that allows me to survive to this problem?
Upvotes: 5
Views: 26647
Answers (1)
Reputation: 78643
Your API calls to S3 are made using AWS credentials. If you want to invoke the HTTP HEAD (or HeadObject) operation on an S3 object then your credentials need to have permission for the S3 object in question.
Check the IAM policies associated with the IAM role that the Lambda function is using. You need the s3:GetObject permission.
Note one additional thing with HeadObject: if the object you request does not exist, the error that S3 returns depends on whether or not you also have the s3:ListBucket permission:
If you have the s3:ListBucket permission on the bucket, S3 returns an HTTP status code 404 ("no such key") error
If you don’t have the s3:ListBucket permission, S3 returns an HTTP status code 403 ("access denied") error
Here's an example of an S3 policy that would allow the S3 GetObject action against all objects in mybucket and also allow ListBucket on mybucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::mybucket"
]
}
]
}
Upvotes: 8
Related Questions
- how to fix "ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden" when trying to download file in AWS Lambda function
- S3 Object Lambda WriteGetObjectResponse API returns 405 Method Not Allowed
- AWS Lambda: An error occurred (403) when calling the HeadObject operation: Forbidden
- Your access has been denied by S3, please make sure your request credentials have permission to GetObject for awsserverlessrepo
- Getting "AccessDenied: Access Denied" inside lambda when getting an object from s3
- Lambda Access Denied on S3 PutObject
- Error Accessing S3 bucket through Lambda function despite permissions
- AWS lambda:An error occurred (404) when calling the HeadObject operation: Not Found
- AccessDeniedException while using Lambda by AWS CLI
- AWS Lambda error while accessing S3 bucket