amazon web services - AWS S3 Bucket Policy not working when manually testing Lambda Function -
i have aws lambda function accesses s3 resource it’s url (i.e https://s3-eu-west-1.amazonaws.com/bucketname/key).
i have added bucket policy on s3 bucket allows lambda function access s3 bucket (via lambda functions iam role). bucket policy looks follows:
{ "version": "2012-10-17", "id": "access control s3 bucket", "statement": [ { "sid": "allow , list requests iam role", "effect": "allow", "principal": { "aws": "arn:aws:iam::123412341234:role/role-name“ }, "action": [ "s3:get*", "s3:list*" ], "resource": [ "arn:aws:s3:::bucket-name”, "arn:aws:s3:::bucket-name/*" ] } ] }
this works fine when lambda function activated "automatically" trigger. when test lambda function manually (via aws console) 403 error.
if change principal in s3 bucket policy “*” 403 exception resolved.
my guess different principal used when manually triggering lambda function, i’ve no idea might be. i’ve tried adding new policy giving access canonical user doesn’t work.
any suggestions?
if wish give permissions particular iam user/group/role, should add permissions directly on user/group/role rather adding special-case in bucket policy.
this keeps bucket policies clean, less special-cases.
i recommend:
- remove bucket policy have displayed
- add in-line policy (for one-off situations) iam role used lambda function
here sample policy:
{ "version": "2012-10-17", "statement": [ { "sid": "bucketaccess", "effect": "allow", "action": [ "s3:*" ], "resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } ] }
actually, too permissive since allow lambda function anything in bucket (eg delete bucket), should grant permissions know required lambda function.
Comments
Post a Comment