AWS Lambda S3 Access Denied

4
votes

I have a lambda function using a role with the following policy excerpt

{
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::ipwl-lambda-config/*",
                "arn:aws:s3:::ipwl-lambda-config"
            ]
        }

My bucket policy looks like the following

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::ipwl-lambda-config/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Sid": "AllowLambda",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountid:role/iam_for_lambda"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::ipwl-lambda-config/*",
                "arn:aws:s3:::ipwl-lambda-config"
            ]
        }
    ]
}

I've allowed GetObject and ListBucket on both the role and the bucket policy. However when my function runs

s3_obj = s3_res.Object(s3_bucket, s3_object)

I get

[ERROR] ClientError: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

What more permissions do I have to add? The object is there, I can get it when I run the code locally using an admin role.

Update

I've checked to make sure the bucket and object names are correct dozens of times. The exception is actually coming from the second line here according to the stacktrace

s3_res = boto3.resource('s3')
s3_obj = s3_res.Object(s3_bucket, s3_object)
data = s3_obj.get()['Body'].read()

KMS should only be a factor for PutObject. We have a support account so I may check with them and update with their findings.

1
amazon-web-servicesamazon-s3aws-lambdaboto3amazon-iam
It looks good to me. Could you double check the bucket name and the iam role that the lambda function is using are correct? - jellycsc
Does this answer your question? aws lambda function getting access denied when getObject from s3 - qedk
You don't need bucket statement with lambda if you already have s3 permissions in lambda. Its redundant, unless different accounts. Your s3 inline policy is correct in the lambda role. Are you sure that s3_res.Object throws the error? Maybe you have other s3 operations? Also I'm curious on how kms fits into this. - Marcin

1 Answers

5
votes

To download a KMS-encrypted object from S3, you not only need to be able to get the object. You also need to be able to decrypt the AWS KMS key.

Here's an example of an IAM policy that your Lambda function should have:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "s3get",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::ipwl-lambda-config/*"
    },
    {
      "Sid": "kmsdecrypt",
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:example-region-1:123456789012:key/example-key-id"
    }
  ]
}

The key policy also needs to allow the IAM role to decrypt the key, something like this:

{
  "Sid": "kmsdecrypt",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::123456789012:role/xyz"
  },
  "Action": "kms:Decrypt",
  "Resource": "*"
}