Granting read access to lambda service principal doesn't work as expected

Question

This may an a general AWS question, but still the way that CDK allows you to use this has an unexpected result in my opinion, and i'm not sure why.

in the code below i'm supposedly giving read permissions to the lambda service principal. this doesn't work though and lambdas are unable to read from this bucket. the only way I could get them to work is to update their lambda policy, allowing them access to the bucket by arn.

why doesn't this work? and since it's allowed (the policy is set fine to the bucket) what does this mean?

Thanks!

bucket = S3.Bucket(
    scope=self,
    id='MyBucket',
    versioned=True,
    block_public_access=S3.BlockPublicAccess.BLOCK_ALL,
    encryption=BucketEncryption.KMS_MANAGED,
    removal_policy=core.RemovalPolicy.DESTROY,
    lifecycle_rules=[bucket_lifecycle_rules],
)

lambda_service_principal = iam.ServicePrincipal('lambda.amazonaws.com')
bucket.grant_read(lambda_service_principal)

Answer 1

It is not the Lambda "service" that accesses the bucket. It is the IAM Role used by the Lambda function that accesses the bucket. That's why you need to either use a Bucket Policy that grants access to the IAM Role, or (better) add permissions to the IAM Role to access the bucket.

When the Lambda container is created, Lambda will 'assume' the IAM Role that is associated with the function. These credentials are then provided via the EC2 Instance Metadata Service in the same way that roles can be assigned to an Amazon EC2 instance.

The Lambda function will use these credentials to access services, so the requests will come "from the IAM Role" rather than from the Lambda service.