Question 19667 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

AWS S3 Bucket Access file permission

I’m not an AWS expert, so I need some help configuring access policies to a S3 Bucket audio file.
Quick explain:
I’m trying to call a lambda function and access a audio file from a S3 bucket with private access. My lambda function (same aws account) should be able to access the mp3 file through its URI.

Details:
I’m developing an Alexa Skill in .NET hosted on AWS Lambda. This skill needs to play an audio that will be retrieved from a S3 Bucket.
The only way I was able to play the audio was leaving the mp3 file accessible for everyone (allow public access), but I want to restrict the access for my lambda function (same aws account) only. In other words: I don’t want anyone can access these files, just my lambda function.
Whenever I configure the access policy, the alexa skill doesn’t access the file anymore and returns: "It was not possible to stablish a connection with the provided audio file URI"

I tried:

  1. Creating a role on IAM management console
  2. Creating a inline policy and attaching all S3 list and read permissions for any resource
  3. Setting up the created role to my lambda function execution role

But it’s not working.

Anyone knows how to configure it correctly?

Reference:lambda-execution-role-s3-bucket

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    What @Anon Coward suggested worked fine!

    Are you trying to read the audio file in the Lambda, or pass a link off to Alexa for it to play it on the device? If you're passing a link off, likely you need to pass a pre signed URL so the device can access the data. – Anon Coward Nov 24 at 5:47

    I wasn't realizing that when I provide the URI to Alexa through REST API it isn't going to be resolved on my own function. For this reason Alexa didn't have access to any file. Thanks you all!


  2. 0

    You should create an IAM Role and associate that IAM Role with the AWS Lambda function.

    The IAM Role should have the following permissions:

    • The AWSLambdaBasicExecutionRole managed policy, which gives permission for the Lambda function to send logging to CloudWatch Logs (See Lambda execution role – AWS Lambda)
    • A policy that permits the Lambda function to access the Amazon S3 bucket, something like:
    {
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"s3:ListBucket",
         "Resource":"arn:aws:s3:::BUCKET-NAME"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::BUCKET-NAME/*"
      }
   ]
}

    This policy gives the Lambda function permission to list the contents of the bucket, and upload/download/delete objects from the bucket.

    If you merely want the Lambda function to read files in the bucket, you can reduce it to:

    {
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"s3:GetObject"
         "Resource":"arn:aws:s3:::BUCKET-NAME/*"
      }
   ]
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search