I'm trying to set up a resize image lambda using Resize Images on the Fly with Amazon S3, AWS Lambda, and Amazon API Gateway | AWS Compute Blog.
However, the IAM policy is not working. It does not have access to the S3 bucket.
I tested it in the IAM Policy Simulator (testing for S3 PutObject) and it says Implicitly denied (not matching statements).
I edited the policy according to Grant a Lambda Execution Role Access to an Amazon S3 Bucket but it gives me the same error.
Here is my bucket policy (edited to change this to the role below instead of root, still denied through IAM Policy Stimulator):
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucketname/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my-account-number>::role/<my-role-name>"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname",
"arn:aws:s3:::mybucketname/*"
]
}
]
}
Here is my IAM role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname/*",
"arn:aws:s3:::mybucketname"
]
}
]
}
Here are my S3 Redirection rules:
<RoutingRules>
<RoutingRule>
<Condition>
<KeyPrefixEquals/>
<HttpErrorCodeReturnedEquals>404</HttpErrorCodeReturnedEquals>
</Condition>
<Redirect>
<Protocol>https</Protocol>
<HostName>MYAPIENDPOINT.eu-west-1.amazonaws.com</HostName>
<ReplaceKeyPrefixWith>default/resize?key=</ReplaceKeyPrefixWith>
<HttpRedirectCode>307</HttpRedirectCode>
</Redirect>
</RoutingRule>
</RoutingRules>
