Why aws lambda function is not able do read object from s3 bucket?

0
votes

I am trying to read objects from S3 bucket using lambda function cross account, I have added resource based policy for aws lambda to access s3 bucket.

But still when i tested my lambda function am seeing access denied error lambda function IAM role has the full access on s3 resources

1
amazon-web-servicesamazon-s3aws-lambda

1 Answers

1
votes

Your situation appears to be:

  • An AWS Lambda function in Account A that is using a Role
  • An Amazon S3 bucket in Account B

You will need to grant access from Account B. The Lambda resource policy will not work because it is in Account A (and therefore cannot grant access to resources in Account B).

You simply need a Bucket Policy on the bucket that grants access to the Role being used by the Lambda function. The policy would look similar to:

{
  "Id": "Policy1",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GrantAccessToRole",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::1234567890:role/my-role"
        ]
      }
    }
  ]
}

Modify the policy to provide the access permissions desired (eg ListBucket).

The ARN for the role is visible in the IAM console when viewing the Role.