Reputation: 121
lambda cannot access to s3 bucket restricted by cloudfront
I have a s3 bucket as origin of a cloudfront. The bucket have all public access blocked. I create a lambda function that download, process and upload s3 object. I create a role for the lambda and add a non public policy, according the meaning of public for amazon resources.. Here is the policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3LambdaAccessObject",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYYY_conversor"
}
}
},
{
"Sid": "S3LambdaListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXXXX-dev-videos-origin",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:YYYYYYYYYYY_conversor"
}
}
}
However, i get access denied code when trying to download and upload a file to the s3 via sdk. I even has added the lamnda to the s3 policies but still no result:
{
"Version": "2012-10-17",
"Id": "aws_iam_policy_document_origin",
"Statement": [
{
"Sid": "S3GetObjectForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*"
},
{
"Sid": "S3ListBucketForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin"
},
{
"Sid": "S3PutObjectForCloudFront",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": [
"s3:PutObjectVersionAcl",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/private/*"
},
{
"Sid": "S3LambdaAccessObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
}
}
},
{
"Sid": "S3LambdaListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::XXXXXXXXXXX-origin",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:YYYYYYYYYYY:function:XXXXXXXXXXX"
}
}
}
]
}
]
}
The lambda work just fine if the public access blocking is removed. What I am doing wrong?
Upvotes: 3
Views: 815
Answers (2)
Reputation: 121
The problem is that the code that I was testing try to upload a file with public ACL policy, what is denied by the s3, having all the public access blocked. The blocking also prevent any account or service to update this non public policy for the bucket or object: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
Upvotes: 0
Reputation: 35258
The whitelist for the Lambda function Arn will not work as the Lambda function connects using its Lambda role to perform any of these interactions.
Instead you will need to whitelist the IAM role that your Lambda has attached to it. This is done by using the Principal of the IAM role Arn.
You will still need to ensure that the IAM role contains the permissions it needs to access S3 additionally.
Upvotes: 5
Related Questions
- AWS CloudFront access denied to S3 bucket
- Getting "AccessDenied: Access Denied" inside lambda when getting an object from s3
- 503 error in authentication using Cloudfront and AWS Lambda for S3 hosted website
- Limited access to AWS S3 bucket
- AWS CloudFront Returns Access Denied from S3 Origin with Query String
- Access Denied when using Lamda Edge with CloudFront to access S3
- AWS S3 and CloudFront Restrict Bucket Access
- AWS: redirection to Lambda function doesn't work from CloudFront Distribution
- CloudFront responds with 403 Forbidden instead of triggering Lambda
- How to allow CloudFront to access certain S3?