Create an S3 Bucket for File Uploads: Lambda to S3 Access Denied

I followed the Basic 1 section and got everything running fine. I wanted to enhance it somewhat for something I’m doing and part of that included reading the file that was uploaded to s3 from within a Lambda function. When I run the function through “serverless invoke local” it works just fine, finds the s3 file and able to read it. When I deploy the Lambda function through “serverless deploy” and run it, it gives me an “Access denied” trying to read the S3 bucket. I know the full key name is correct. My permissions on the IAM role are the same as in the Basic 1 guide.

Has anybody tried to read those private files in the S3 bucket?
Am I missing something simple?

1 Like

Disregard. I think I just figured it out. It looks like I had not wild-carded my permissions for the s3 bucket in the yaml iamRoleStatements section:

  iamRoleStatements:
    - Effect: Allow
      Action:
        - s3:getObject
        - s3:putObject
      Resource: "arn:aws:s3::*:*"

Clarifying:

 iamRoleStatements:
    - Effect: Allow
      Action:
        - s3:getObject
        - s3:putObject
      Resource: "arn:aws:s3:::<my-bucket>/*"

Glad you figured it out. Thanks for reporting back.

What worked for me was adding a bucket policy to the S3 notes bucket as follows (and I need to tighten up the Principal !):
{
“Version”: “2012-10-17”,
“Id”: “Policy1612228858328”,
“Statement”: [
{
“Sid”: “Stmt1612228855942”,
“Effect”: “Allow”,
“Principal”: “",
“Action”: “s3:PutObject”,
“Resource”: "arn:aws:s3:::notes-app-xxxxxxx/

}
]
}