Add policy to the auto created IAM role
Question
I have cdk script which makes one S3 bucket and lambda then add s3 trigger to lambda
const up_bk = new s3.Bucket(this, 'cdk-st-in-bk', { // image-resize用のbucket
bucketName: `cdk-st-${targetEnv}-resource-in-bk`,
removalPolicy: RemovalPolicy.DESTROY,
autoDeleteObjects: true,
cors: [{
allowedMethods: [
s3.HttpMethods.GET,
s3.HttpMethods.POST,
s3.HttpMethods.PUT,
s3.HttpMethods.DELETE,
s3.HttpMethods.HEAD,
],
allowedHeaders: ["*"],
allowedOrigins: ["*"],
exposedHeaders: ["ETag"],
maxAge: 3000
}]
});
const resizerLambda = new lambda.DockerImageFunction(this, "ResizerLambda", {
code: lambda.DockerImageCode.fromImageAsset("resizer-sam/resizer"),
});
resizerLambda.addEventSource(new S3EventSource(up_bk, {
events: [ s3.EventType.OBJECT_CREATED ],
}));
Now,It makes role automatically st-dev-base-stack-ResizerLambdaServiceRoleAE27CE82-1LWJL0D35A0GW
But it has only AWSLambdaBasicExecutionRole
So,when I try to access S3 from bucket there comes error like `
For example,
obj = s3_client.get_object(Bucket=bucket_name, Key=obj_key)
"An error occurred (AccessDenied) when calling the GetObject operation: Access Denied"
I guess I should add the AmazonS3FullAccess to this role.
However how can I do this??
1 answers
solution1
2 ACCPTED 2022-02-09 10:24:37
You need to give the Lambda function permission to read from the bucket:
up_bk.grantRead(resizerLambda);
If you also need it to write to the bucket, do:
up_bk.grantReadWrite(resizerLambda);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.