Reputation: 1104
Error Accessing S3 bucket through Lambda function despite permissions
I created a lambda function which gets invoked on file upload to an S3 bucket. The function then scans the file and outputs the result in Cloudwatch. When I deploy the exact same infrastructure using Cloudformation template, I get an error :
[ERROR] ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden
The only difference between my trial and Cloudformation is that I am generating the bucket name dynamically in the template. Other than that, everything is the same. I am attaching the exact same permissions to the lambda function through CFN which would otherwise work in my testing.
I tried some of the other solutions mentioned where people fixed their system clock issue to get this working. I am doing everything through the UI and not using CLI.
My cloudformation template is uploaded here:
Can anyone help me solve this mystery. I am having a real tough time digging into this.
Upvotes: 1
Views: 385
Answers (1)
Reputation: 238727
Your IAMManagedPolicy is incorrect. Statements such as:
arn:aws:s3:::{$S3Bucket}/*
will not resolve to your bucket's name, as you are missing Sub and the syntax is incorrect.
You can try the following (Sub and ${S3Bucket} added):
IAMManagedPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: "bucket-scan-policy-2"
Path: "/"
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"sns:Publish",
"kms:Decrypt",
"s3:PutObjectVersionTagging",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:sns:::<av-scan-start>",
"arn:aws:sns:::<av-status>",
"arn:aws:s3:::${S3Bucket}/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::yara-rules/*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::${S3Bucket}/*"
},
{
"Sid": "VisualEditor9",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::${S3Bucket}"
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::yara-rules"
}
]
}
Upvotes: 1
Related Questions
- aws lambda function getting access denied when getObject from s3
- AWS lambda function invocating S3.getObject getting Access Denied
- Why does my lambda function get Access Denied trying to access an S3 bucket?
- Why is my lambda function unable to access S3?
- AccessDeniedException while using Lambda by AWS CLI
- AWS Lambda returns permission denied trying to GetObject from S3 bucket
- Why can't I access my S3 bucket from a Lambda function?
- AWS Lambda error while accessing S3 bucket
- Access denied on aws lambda function when getObject from S3 bucket
- Cannot access S3 bucket from Lambda function