Permission denied for IAM policy to S3 bucket
Question
I'm trying to set up a resize image lambda using Resize Images on the Fly with Amazon S3, AWS Lambda, and Amazon API Gateway | AWS Compute Blog .
However, the IAM policy is not working. It does not have access to the S3 bucket.
I tested it in the IAM Policy Simulator (testing for S3 PutObject) and it says Implicitly denied (not matching statements) .
I edited the policy according to Grant a Lambda Execution Role Access to an Amazon S3 Bucket but it gives me the same error.
Here is my bucket policy (edited to change this to the role below instead of root, still denied through IAM Policy Stimulator):
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucketname/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my-account-number>::role/<my-role-name>"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname",
"arn:aws:s3:::mybucketname/*"
]
}
]
}
Here is my IAM role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname/*",
"arn:aws:s3:::mybucketname"
]
}
]
}
Here are my S3 Redirection rules:
<RoutingRules>
<RoutingRule>
<Condition>
<KeyPrefixEquals/>
<HttpErrorCodeReturnedEquals>404</HttpErrorCodeReturnedEquals>
</Condition>
<Redirect>
<Protocol>https</Protocol>
<HostName>MYAPIENDPOINT.eu-west-1.amazonaws.com</HostName>
<ReplaceKeyPrefixWith>default/resize?key=</ReplaceKeyPrefixWith>
<HttpRedirectCode>307</HttpRedirectCode>
</Redirect>
</RoutingRule>
</RoutingRules>
1 answers
solution1
0 2019-06-27 17:57:36
Are you sure your Lambda function is running as the root user? (I don't even know if this is possible, but you probably don't want to be doing that)
You can find out the role for your Lambda function using this command:
aws lambda get-function-configuration --function-name YOUR_FUNCTION_NAME | grep Role
The value you see is what you should use in your bucket policy:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my-account-number>:role/service-role/foo-bar-baz"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucketname",
"arn:aws:s3:::mybucketname/*"
]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.