Create an S3 Bucket for File Uploads: Lambda to S3 Access Denied

Chapter Comments
1

I followed the Basic 1 section and got everything running fine. I wanted to enhance it somewhat for something I’m doing and part of that included reading the file that was uploaded to s3 from within a Lambda function. When I run the function through “serverless invoke local” it works just fine, finds the s3 file and able to read it. When I deploy the Lambda function through “serverless deploy” and run it, it gives me an “Access denied” trying to read the S3 bucket. I know the full key name is correct. My permissions on the IAM role are the same as in the Basic 1 guide.

Has anybody tried to read those private files in the S3 bucket?
Am I missing something simple?

1 Like
2

Disregard. I think I just figured it out. It looks like I had not wild-carded my permissions for the s3 bucket in the yaml iamRoleStatements section:

  iamRoleStatements:
    - Effect: Allow
      Action:
        - s3:getObject
        - s3:putObject
      Resource: "arn:aws:s3::*:*"
3

Clarifying:

 iamRoleStatements:
    - Effect: Allow
      Action:
        - s3:getObject
        - s3:putObject
      Resource: "arn:aws:s3:::<my-bucket>/*"
4

Glad you figured it out. Thanks for reporting back.

5

What worked for me was adding a bucket policy to the S3 notes bucket as follows (and I need to tighten up the Principal !):

{
    "Version": "2012-10-17",
    "Id": "Policy1612228858328",
    "Statement": [
        {
            "Sid": "Stmt1612228855942",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::notes-app-xxxxxxx/*"
        }
    ]
}
1 Like