AWS Lambda - Access Denied Error - GetObject

0
votes

I am a newbie to AWS Lambda. I am trying out the Tutorial from https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html. When the user uploads a jpg to a S3 bucket called greetingsproject, the lambda function is triggered.

Error: 9a62ff86-3e24-491d-852e-ded2e2cf5d94
INFO: error while getting object = AccessDenied: Access Denied

I am getting the Access denied error in the following code snippet:

try {
        console.log("srcBucket=" + srcBucket);
        console.log("srcKey=" + srcKey);
        const params = {
            Bucket: srcBucket,
            Key: srcKey
        };
        var origimage = await s3.getObject(params).promise();

    } catch (error) {
        console.log("error while getting object = " + error);
        return;
    }

My Policy for the Role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogGroup",
                "logs:CreateLogStream"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::greetingsproject"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::greetingsproject",
                "arn:aws:s3:::greetingsproject/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::greetingsproject",
                "arn:aws:s3:::greetingsproject/*"
            ]
        }
    ]
}

Not sure what other permissions I need to add to the policy.

1
amazon-web-servicesamazon-s3aws-lambda
Are the lambda function and the s3 bucket in the same aws account? - ORP
"Policy for the Role" - which role? Lambda execution role? - Marcin

1 Answers

0
votes

The comment by Marcin about Lambda execution role put me on the right track. I had followed the below steps previously:

  1. Created a policy called greetingsProjectPolicy (with the above mentioned permissions)
  2. Attached this policy to greetingsProjectRole.
  3. Assigned the greetingsProjectRole to my lambda function.
  4. I assumed that was it and the policy should be available to my lambda function.
  5. However when I assigned the greetingsProjectRole to the function, internally AWS created a Execution role called greetingsProject-role-zhcbt61o.
  6. When I clicked on this role, I was surprised to see that only role it had was the AWSLambdaBasicExecutionRole and the greetingsProjectPolicy was missing.
  7. I had to add the greetingsProjectPolicy as a inline policy to greetingsProject-role-zhcbt61o. Now I no longer get the access denied error.

Not sure, if this is how AWS works or I am missing something.