CODEWITHSUNDEEP
amazon-s3aws-lambdaboto3amazon-iam
Prabhu Singh
Prabhu Singh

Reputation: 75

An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied

I am getting this error when using copy_object method of boto3 when running my Python code in AWS Lambda.

AWS Lambda Code

import json
import boto3

def lambda_handler(event, context):
    some_binary_data = b'Here we have some data'
    client = boto3.client("s3")

    # Upload - Working
    client.put_object(Body=some_binary_data, Bucket='test', Key="upload/binary_1.txt")
    
    # Copy - Working
    s3 = boto3.resource('s3')
    copy_source = {
        'Bucket': 'test',
        'Key': 'upload/binary_1.txt'
    }
    s3.meta.client.copy(copy_source, 'test', 'upload/binary_1_copied.txt')

    # Copy - NOT WORKING  
    # Access Denied even after adding GetObjectTagging and PutObjectTagging permissions in the policy

    client.copy_object(Bucket="test", CopySource="upload/binary_1.txt", Key="upload/binary_1_copied.txt")

    # Delete - Working
    client.delete_object(Bucket="test", Key="upload/binary_1.txt")
    
    return {
        'statusCode': 200,
        'body': json.dumps('Hello from Lambda!')
    }

I am using this policy (mentioned as JSON) for the role assigned to my lambda function.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:ReplicateObject",
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectTagging",
            "s3:ListBucket",
            "s3:PutObjectTagging",
            "s3:DeleteObject",
            "s3:PutObjectAcl"
        ],
        "Resource": [
            "arn:aws:s3:::test/*",
            "arn:aws:s3:::test"
        ]
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:ListAllMyBuckets",
        "Resource": "*"
    }
]
}

Note - S3-Bucket currently contains upload/binary_1.txt file

Upvotes: 1

Views: 5381

Answers (1)

Marcin
Marcin

Reputation: 238957

If test is the actual bucket name that you can't use it. Bucket names must be unique accross all AWS accounts and regions. From docs:

An Amazon S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. This means that after a bucket is created, the name of that bucket cannot be used by another AWS account in any AWS Region until the bucket is deleted.

So you get access denied because test bucket belongs to someone else. You have to ensure that your bucket names are unique and not used by anyone else.

Upvotes: 1

Related Questions