IAM user can only access S3 bucket when bucket is set to public

0
votes

I've been trying to test my first lambda function, however I'm only able to test it successfully when the bucket policies are set to public. I would like to provide access to my IAM user only, but whenever I try to do so, I receive an Access Denied error. I confirm that the IAM user does have Administrator Access.

Below is the relevant snippet from the bucket policy where I set the Principal to my IAM user's ARN, which results in the "Access Denied" error:

"Principal": {
     "AWS": "arn:aws:iam::12_DIGIT_USER_ID:user/adminuser"
}

Setting the Principal to public, like below, allows the lambda to run successfully:

"Principal": {
     "AWS": "*"
}

Clearly I want to avoid having a public bucket, and the solution according every blog post and StackOverflow question seems to be to set the bucket policy similar to the first code snippet above, but I just absolutely cannot figure out why it's not working for me. Any help would be greatly appreciated.

2
javascriptamazon-web-servicesamazon-s3aws-lambda
I guess you are running via an IAM role (execution role). If that is the case, you can just give the role necessary permission via IAM policy and don't have to use bucket policy. If you still want to use bucket policy, which API is returning access denied and what is the full bucket policy? - sudo

2 Answers

2
votes

Problem is you are confusing between user and resource permissions.

You just need to set Resource to Resource permissions as a policy, assign it to Role with trusted relationship with lambda.amazonaws.com and then assign that Role to Lambda function.

enter image description here

enter image description here

Hope it helps.

1
votes

When granting permission to access resources in Amazon S3:

  • If you wish to grant public access, use a Bucket Policy on the bucket itself
  • If you wish to grant permissions to specific users or groups of users, then add the permissions directly to the User/Group within IAM (no principal required)