I’m trying to have my lambda putting/updating objects in my s3 bucket. I have not changed any default bucket setting and attached the below role iam policy to the lambda.
{
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my_custom_bucket_name_for_dev"
}
],
"Version": "2012-10-17"
}
What I don’t understand is that get
operations seems to work, but put
doesn’t
logger.info("before boto")
s3_client = boto3.client('s3'
)
objects = s3_client.list_objects_v2(Bucket='my_custom_bucket_name_for_dev')
logger.info("entering debug list")
for obj in objects.get('Contents',[]):
logger.info(f"{obj['Key']}")
some_binary_data = b'let me in'
s3 = boto3.resource('s3')
object = s3.Object('my_custom_bucket_name_for_dev', 'whatwithpermission.txt')
object.put(Body=some_binary_data)
the above has generated the following error message
[ERROR] ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
Can someone explain to me what i am doing wrong? Cos I thought i’ve granted all possible s3 permission to the lambda.
Thanks!
2
Answers
Arn
arn:aws:s3:::my_custom_bucket_name_for_dev
if for bucket only, not for objects. Thus any object level operations, such asput
will fail. Proper object level Arn isarn:aws:s3:::my_custom_bucket_name_for_dev/*
.You’re missing out on the permissions required for objects, you’ve to add the resource
arn:aws:s3:::my_custom_bucket_name_for_dev/*
for that.So your policy ideally look like this: