Access denied when principal set to aws lambda.amazonaws.com

Question

I access a bucket with a lambda function and i get an "Access Denied" error, when i access it with a lambda function via boto3. If i set principal to "*" in the Bucket, all works fine. What is the issue?

 "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
...

Answer 1

The steps would be:

• Create an IAM Role with a use-case of Lambda (this creates a Trust Policy that allows the AWS Lambda service to assume the role)
• Add a Policy to the IAM Role that grants the required Amazon S3 permissions
• Configure the AWS Lambda function to use this IAM Role

There is no need to use an Amazon S3 Bucket Policy for your stated requirements.

As a general rule, Bucket Policies are used when granting permission to everyone, and IAM policies should be used when granting access to specific Users or Groups. (However, there can be other situations for using Bucket Policies, such as granting cross-account access.)

Answer 2

In the bucket policy, the principal to give allow permission to should be the lambda execution role and not the lambda service (lambda.amazonaws.com).

Adding more details, if the lambda execution role is in the same AWS account as the bucket, then an allow permission in the role should suffice. As long as there is no explicit deny in the bucket policy.

However, if the role and bucket are in separate accounts, the role has to have allow permission and the bucket policy has to give allow permission to the role.