CODEWITHSUNDEEP
amazon-web-servicesgoamazon-s3aws-lambdaterraform
Utsab
Utsab

Reputation: 23

AWS Golang S3 manager upload: Access denied

I am using S3 upload manager to upload a large file into S3.

if _, err := uploader.UploadWithContext(ctx, &s3manager.UploadInput{
        Bucket:          aws.String(s.Config.GetS3ExportBucket()),
        Key:             aws.String(key),
        Body:            bytes.NewReader(buf.Bytes()),
        ContentEncoding: aws.String("gzip"),
        ContentType:     aws.String("application/json"),
    }); err != nil {
        return fmt.Errorf("failed to upload file, %w", err)
    }

As per this AWS document I have provided the permissions as well to my lambda.

#Created Policy for IAM Role
resource "aws_iam_policy" "s3_write_policy" {
  name        = "${local.namespace}-s3-write-access"
  description = "Allow Lambda to access s3 where back will be written"
  policy      = data.aws_iam_policy_document.s3_write_policy.json
}

data "aws_iam_policy_document" "s3_write_policy" {
  statement {
    sid       = "WriteObjectActions"
    effect    = "Allow"
    actions   = [
      "s3:AbortMultipartUpload",
      "s3:GetObject",
      "s3:ListBucket",
      "s3:ListBucketMultipartUploads",
      "s3:PutObject",]
    resources = [
      aws_s3_bucket.db_export.arn]
  }
}

However, I keep getting access denied error from S3.

Upvotes: 1

Views: 1560

Answers (1)

Mayank Patel
Mayank Patel

Reputation: 8536

You need to provide access to not just the bucket but all the objects inside bucket as well.

Try this policy

data "aws_iam_policy_document" "s3_write_policy" {
  statement {
    sid       = "WriteObjectActions"
    effect    = "Allow"
    actions   = [
      "s3:AbortMultipartUpload",
      "s3:GetObject",
      "s3:ListBucket",
      "s3:ListBucketMultipartUploads",
      "s3:PutObject",]
    resources = [
      aws_s3_bucket.db_export.arn,
      "${aws_s3_bucket.db_export.arn}/*"]
  }
}

Upvotes: 5

Related Questions