ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden

1
votes

I'm creating an AWS Lambda Function that tries to download a file (s3.download_file) to a temp dir that I create using the tempfile library from Python (3.6). Then, I make some transformations to the file and I need to upload it (s3.upload_file) again. I'm confident about the life cycle from my temp dir, when the Lambda finish its job, the temp dir is going to destroy itself. The Lambda returns an error related to forbidden HeadObject operation. The exact error is:

"An error occurred (403) when calling the HeadObject operation: Forbidden"

How can I debug this error? I already checked several sources, some of them talk about adjusting policies, check permissions, but my question is, there is some step by step (that AWS in its documentation doesn't have), that allows me to survive to this problem?

1
amazon-web-servicesamazon-s3aws-lambda
Your API calls to S3 are made using AWS credentials. If you want to invoke the HeadObject action on an S3 object then your credentials need to have permission to invoke that action on the S3 object in question. Check the IAM policies associated with the credentials (probably an IAM role) that the Lambda function is using. - jarmod
Thanks! I hadn't worked with roles, only with users. That's the error. Just for test I added full access to user and role either and it's working! - juvaloco

1 Answers

3
votes

Your API calls to S3 are made using AWS credentials. If you want to invoke the HeadObject action on an S3 object then your credentials need to have permission to invoke that action on the S3 object in question.

Check the IAM policies associated with the IAM role that the Lambda function is using.

Here's an example of an S3 policy that would allow the S3 HeadObject action against all objects in mybucket and also allow GetBucketLocation on mybucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:HeadObject",
      "Resource": [
        "arn:aws:s3:::my_bucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "s3:GetBucketLocation",
      "Resource": [
        "arn:aws:s3:::my_bucket"
      ]
    }
  ]
}