aws_access_key_id in aws lambda environment

4
votes

I'm using boto3 in order to create a presigned post url for s3.

s3 = boto3.client('s3')
post = s3.generate_presigned_post(
        Bucket=bucket_name,
        Key=f"{userid}.{suffix}"
    )

The aws_access_key_id that is being used is incorrect, one of the ways of using the right one is by adding an environment variable through environment variables.

Any idea how can I enforce using the aws access key as defined by the user I've created in IAM ?

Update 1

Policy attached to the IAM role that executes the lambda

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DetachNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ResetNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:*"
            ],
            "Resource": "arn:aws:kinesis:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:*"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": "arn:aws:sqs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:*"
            ],
            "Resource": "*"
        }
    ]
}

Update 2

Role in IAM Role in IAM Role configuration in Lambda configuration Role configuration in Lambda configuration

1
amazon-web-servicesamazon-s3aws-lambdaboto3amazon-iam
The right way is to attach the correct IAM policy to Lambda's IAM role. Then you do not need to specify the credentials explicitly.helloV
@helloV thank you. I've attached the policy, what am I missing ?Efi MK
Role credentials have an access-key-id beginning with ASIA (not AKIA), and it rotates. "The access key does not exist in our records" is the error thrown if the request lacks the accompanying x-amz-security-token that gives meaning to the temporary access-key-id.Michael - sqlbot
@Michael-sqlbot but from where can I get x-amz-security-token ? am I suppose to get it back as part of the response ?Efi MK
It should automatically be in the environment as aws_session_token.Michael - sqlbot

1 Answers

6
votes

You should not use an IAM User for any sort of execution permissions in lambda. Rather, use an IAM role with appropriate policies attached and attach that role to your Lambda function.

Also note that once the role is configured, the access id and secret will be automatically set as environment variables by lambda and Boto will retrieve them without any additional configuration.