skip to Main Content

I’m trying to have my lambda putting/updating objects in my s3 bucket. I have not changed any default bucket setting and attached the below role iam policy to the lambda.

{
    "Statement": [
        {
            "Action": [
                "logs:*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Action": [
                "s3:*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my_custom_bucket_name_for_dev"
        }
    ],
    "Version": "2012-10-17"
}

What I don’t understand is that get operations seems to work, but put doesn’t

    logger.info("before boto")
    s3_client = boto3.client('s3'
                      )

    objects = s3_client.list_objects_v2(Bucket='my_custom_bucket_name_for_dev')
    
    logger.info("entering debug list")
    for obj in objects.get('Contents',[]):
        logger.info(f"{obj['Key']}")

    some_binary_data = b'let me in'
    s3 = boto3.resource('s3')
    object = s3.Object('my_custom_bucket_name_for_dev', 'whatwithpermission.txt')
    object.put(Body=some_binary_data)

the above has generated the following error message

[ERROR] ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

Can someone explain to me what i am doing wrong? Cos I thought i’ve granted all possible s3 permission to the lambda.

Thanks!

2

Answers


  1. Arn arn:aws:s3:::my_custom_bucket_name_for_dev if for bucket only, not for objects. Thus any object level operations, such as put will fail. Proper object level Arn is arn:aws:s3:::my_custom_bucket_name_for_dev/*.

    Login or Signup to reply.
  2. You’re missing out on the permissions required for objects, you’ve to add the resource arn:aws:s3:::my_custom_bucket_name_for_dev/* for that.

    So your policy ideally look like this:

    {
        "Statement": [
            {
                "Action": [
                    "logs:*"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:logs:*:*:*"
            },
            {
                "Action": [
                    "s3:*"
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:s3:::my_custom_bucket_name_for_dev",
                    "arn:aws:s3:::my_custom_bucket_name_for_dev/*"
                ]
            }
        ],
        "Version": "2012-10-17"
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search