access s3 bucket from lambdaw when s3 has vpc restriction

1
votes

I have a s3 bucket with vpc access restriction conditions

"Statement": [
     {
         "Sid": "Access-to-specific-VPC-only-xxxx",
         "Effect": "Deny",
         "Principal": "*",
         "Action": "s3:*",
         "Resource": [
             "arn:aws:s3:::xxxx",
             "arn:aws:s3:::xxxx/*"
         ],
         "Condition": {
             "NotIpAddress": {
                 "aws:SourceIp": "xxxx"
             },
             "StringNotEquals": {
                 "aws:sourceVpc": "vpc-xxxx"
             }
         }
     }
]

Now I create a lambda function with a full s3 access role, and I find that the function (with simple boto3 get_object or download_file things like that) is access denied by s3. What should I add to the s3 policy to allow the function access?

The error message is

An error occurred (AccessDenied) when calling the ListObjects operation:
Access Denied: ClientError
 Traceback (most recent call last)
  File "/var/task/SampleFunctionTest.py", line 17, in handler\n
  for obj in my_bucket.objects.all():
 ...
  botocore.exceptions.ClientError: An error occurred (AccessDenied)
when calling the ListObjects operation: Access Denied
2
amazon-web-servicesamazon-s3aws-lambdaamazon-vpc

2 Answers

1
votes

To resolve this issue. you have to create S3 Geteway Endpoint in the VPC. Goto AWS Console

enter image description here

Then select AWS services enter image description here

enter image description here

0
votes

Is it in an option for you to put the Lambda function inside the same VPC? If so I'd go with that. Also you'd need to remove the NotIpAddress condition or add the CIDR block of the subnet your Lambda function is in.

"NotIpAddress": {
    "aws:SourceIp": ["xxxx", "x-lambda-subnet-ip-range"]
}