0
0 Comments

We have a Lambda function that needs to be able to access a private S3 bucket.

The bucket has ‘block all public access’ enabled and the following resource policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1620740846405",
    "Statement": [
        {
            "Sid": "Stmt1620740843181",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::'''''':role/integrations-shopifyBucketOrdersFunctionRole-*****",
                    "arn:aws:iam::'''''':root",
                    "arn:aws:iam::''''''':user/transalisS3"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket/*",
                "arn:aws:s3:::bucket"
            ]
        }
    ]
}

I have also attached the AmazonS3FullAccess policy directly the the IAM role that the Lambda uses. However, when the Lambda function tries to access the S3 bucket it gives an access denied error:

AccessDenied: Access Denied

An external system that connects to S3 using IAM User credentials also gets the same error when it tries to access the bucket.

Does anybody know what might be causing this error?

Below is the Lambda code that is erroring:

const AWS = require('aws-sdk');
const s3 = new AWS.S3();

exports.bucketOrders = async (event, context) => {
    let response = {};
    let eventBucket = event.Records[0].s3.bucket.name;
    let eventFile = event.Records[0].s3.object.key;

    let decodedKey = decodeURIComponent(eventFile);

    try {
        let objectData = await s3.getObject({
            Bucket: eventBucket,
            Key: decodedKey,
        }).promise();
Anonymous Asked question May 14, 2021