An error occurred while listing S3 relations: Access Denied
原文
2023-01-02 05:55:04
4
1
amazon-web-services/
amazon-s3/
aws-lambda/
terraform/
terraform-provider-aws
Question
I have created lambda function with s3 bucket required access and i am trying to create s3 events trigger but i am getting access denied error.
lambda.tf
resource "aws_lambda_function" "s3-lambdas" {
filename = "./s3-lambdas.zip"
function_name = "s3-lambdas"
source_code_hash = filebase64sha256(s3-lambdas)
role = module.lambda_role.arn
handler = "s3-lambdas.lambda_handler"
runtime = "python3.9"
timeout = 200
description = "invoke glue job"
depends_on = [module.lambda_role]
}
resource "aws_lambda_permission" "s3_lambdas_s3_events" {
depends_on = [aws_lambda_function.s3-lambdas]
statement_id = "AllowS3Invoke"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.s3-lambdas.function_name
principal = "s3.amazonaws.com"
source_arn = "arn:aws:s3:::${module.bucket-name.name}"
}
resource "aws_s3_bucket_notification" "bucket_notifications" {
bucket = module.bucket-name.name
lambda_function {
lambda_function_arn = aws_lambda_function.s3-lambdas.arn
events = ["s3:ObjectCreated:*"]
filter_prefix = "abc/def/"
}
depends_on = [aws_lambda_permission.s3_lambdas_s3_events]
}
and my lambda role which contains s3 full access. s3.tf
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::dev-s3-bucket",
"arn:aws:s3:::dev-s3-bucket/*"
]
}
]
}
even though i am getting An error occurred while listing S3 relations: Access Denied when i tried to create s3 triggers.
Edited
output "bucket_name" {
value = module.bucket-name.name
}
bucket_name = dev-s3-bucket
output "iam_dev_arn" {
value = module.lambda_role.arn
}
iam_dev_arn = arn:aws:iam::0123456789:role/s3-lambda-role
output "div_arn" {
value = aws_lambda_function.s3-lambdas.arn
}
div_arn = arn:aws:lambda:us-east-1:0123456789:function:s3-lambdas
assume_role_policy
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
i have added the outputs related to module
s3-lambdas
from __future__ import print_function
import boto3
import urllib
import os
print ('Loading function')
glue = boto3.client('glue')
def lambda_handler(event, context):
gluejobname = os.environ['glue_job']
try:
runId = glue.start_job_run(JobName=gluejobname)
status = glue.get_job_run(JobName=gluejobname, RunId=runId['JobRunId'])
print("Job Status : ", status['JobRun']['JobRunState'], "runId",runId)
except Exception as e:
raise e
return {
"statusCode": 200,
"body": os.environ['glue_job'] + " Job started"
}
s3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "denyInsecureTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::dev-s3-bucket/*",
"arn:aws:s3:::dev-s3-bucket"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
1 answers
solution1
0 2023-01-02 06:08:05
In your S3 bucket policy can you make the following change and retry:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::dev-s3-bucket/abc/def/*" <-- change this
]
}
]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
AWS S3 Boto3 Python - An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
Access denied to cloudfront distribution s3
EKS Pod S3 Access Denied
AWS Lambda S3 Access Denied
AWS Glue: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;
How to fix 'Access Denied' while deleting empty S3 Elastic Beanstalk?
AWS S3 Bucket - Access Denied on Sub-Pages
Access Denied when trying to access S3 from AWS Lambda
Django s3: 403 Access Denied, and generating URLs
AWS S3 Bucket policy/access from URL referer - access denied
Related Tags