Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Lambda getting access denied when trying to copy the data in same bucket

Lambda getting access denied when trying to copy the data in same bucket.

Here is my Bucket Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:PutObject",
                "s3:PutObjectTagging"
            ],
            "Resource": "arn:aws:s3:::vgi-esf-eng-us-east-1-narwhal-bfb-automated-input/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::vgi-esf-eng-us-east-1-narwhal-bfb-automated-input"
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::vgi-esf-eng-us-east-1-narwhal-bfb-automated-input/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        },
        {
            "Sid": "EnforceSSL",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::vgi-esf-eng-us-east-1-narwhal-bfb-automated-input/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "Restrict Bucket Access",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::vgi-esf-eng-us-east-1-narwhal-bfb-automated-input",
                "arn:aws:s3:::vgi-esf-eng-us-east-1-narwhal-bfb-automated-input/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::551470947100:role/CloudBotRole",
                        "arn:aws:iam::551470947100:role/globalaccess/*",
                        "arn:aws:iam::551470947100:user/globalaccess/*",
                        "arn:aws:iam::551470947100:role/Bamboo-Role-Remote-*",
                        "arn:aws:iam::551470947100:role/FB0-narwhalbfbautomatedmrprivate-ENG-east-1"
                    ]
                }
            }
        }
    ]
}

I need bucket policy edited.

Tags:

2

Answers


  1. 0

    I guess the answer is here:
    https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html

    In short, you need to add s3express:CreateSession action to your policy.
    Do not see a reason to copy-paste information from the provided doc.

    Good luck!

    Login or Signup to reply.
  2. 0

    Rather than granting permissions via a Bucket Policy, you should add the necessary permissions to the IAM Roles. These would be Allow policies.

    In general, it is best to avoid using Deny policies since they override Allow policies and can be somewhat confusing. Also, Bucket Policies are typically only used when granting public access or cross-account access. You should not need a Bucket Policy for your particular use-case.

    Given your current Bucket Policy, my guess is that one of the two Deny policies is causing your problem. Try temporarily removing them one-at-a-time to figure out which one is preventing your Lambda function from operating as expected.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search