I need to delete an object in S3 from a Lambda function. I have tried everything, and this is driving me crazy, please help!
I have a lambda function associated with an API GATEWAY from AWS. When I make the request in Postman, I receive an Access Denied message with a 500 internal server error code. The CloudWatch logs don't show additional info.
When I use the AWS CLI, i can delete the object succesfully using this command:
aws s3api delete-object --bucket <<My-Bucket>> --key <<My-Key>>
Additionally, I can upload files to S3 with another request in Postman, without any problem.
But when I use the code uploaded to Lambda, it doesn't work. I am using AWS SDK v3, but I have already tried with older versions. The relevant code is the following:
const {S3Client, DeleteObjectCommand} = require("@aws-sdk/client-s3");
const client = new S3Client({region: process.env.AWS_REGION});
const command = new DeleteObjectCommand({
Bucket: process.env.BUCKET_NAME, Key: `posts/${familyId}/${magazineId}/${postId}`
});
await client.send(command);
My IAM user has S3 Full Access. IAM user permissions
The bucket owner is this IAM user. The policy of my S3 bucket is the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<My-account-id>>:user/<<My-username>>"
},
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::<<My-bucket>>"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<My-account-id>>:user/<<My-username>>"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<<My-bucket>>/*"
}
]
}
I tried unblocking public access, but the problem remains. The command:
aws configure list
Shows me the access key, secret key and region that I expect. Any idea would be highly appreciated, thank you!!
Answering myself as I found the solution:
I am using AWS SAM to deploy the lambda functions (infrastructure as code). I was missing the permissions needed in template.yml. Added this policy to the lambda function in template.yml and it worked.
MyFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- S3CrudPolicy:
BucketName: !Ref BucketName
Check these docs to troubleshoot additional access denied errors: https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/
Hope it helps!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.