AWS lambda not able to access cross account s3 bucket object but from cli its working

Question

I am getting forbidden error while accessing cross-account s3 buckets, but I am able to access bucket using aws s3 cli.

I have checked the following things:

I have tested code in June and was working and not changed in the last 4 months.
Lambda role (not changed in the last 4 months):

        {
            "Action": "s3:*",
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },

code is working with s3 bucket in the same account.
in account 2 all list objects, write objects, Read bucket permissions, and Write bucket permissions access is given.

I am able to list bucket contents from aws cli and it's not working with lambda.

I haven't used bucket policy, I have added canonical id in Access for other AWS account and then checked all boxes in front of that. — siddhesh padhye

siddhesh padhye siddhesh padhye · Accepted Answer · 2020-07-07T15:35:49

Found out the issue, it was happening because I didn't apply object level acl to read object

But still, there is one issue that there can be multiple files for whom I want the head object to determine the size of the file and asking the customer to put object acl one by one on each object is not user friendly so is there a way to put read object acl on bucket level.

AWS lambda not able to access cross account s3 bucket object but from cli its working

2 Answers