0

I've been developing an aws lambda function with python and serverless. It reads files from a s3 bucket and stores data from it in another bucket as a csv. The code works perfectly with invoke local but after deploying I get:

An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

This is the function:

s3_client.put_object(Body=data, Bucket=bucket_name, Key=key_name)

and part of the serverless yml 

iamRoleStatements:
    - Effect: Allow
Action:
    - KMS:Decrypt
Resource: '*'
    - Effect: Allow
Action:
    - 's3:*'
Resource:
    - 'arn:aws:s3:::output_bucket'
    - 'arn:aws:s3:::output_bucket/*'
- Effect: Allow
Action:
    - 's3:ListBucket'
Resource:
    - 'arn:aws:s3:::input_bucket'
    - 'arn:aws:s3:::input_bucket/*'       

- Effect: Allow
    Action:
    - 's3:GetObject'
Resource:
    - 'arn:aws:s3:::input_bucket'
    - 'arn:aws:s3:::input_bucket/*'

Is there any other configuration I need? Am I missing something obvious?

Improve this question
2
  • lambda has a role attached, that role should have access to s3, can you check that? Commented Jun 14, 2018 at 7:28
  • @GowthamChand how can I check that? the error is on s3_client = boto3.client('s3') cos I don't have the credentials, do you know how can I pass it by the .yml file? Commented Jun 15, 2018 at 7:05

1 Answer 1

Reset to default
1

For me the indent looks wrong. Please make sure to use it right.

iamRoleStatements:
  - Effect: Allow
    Action:
      - 'kms:Decrypt'
    Resource: '*'
  - Effect: Allow
    Action:
      - 's3:*'
    Resource:
      - 'arn:aws:s3:::output_bucket'
      - 'arn:aws:s3:::output_bucket/*'
  - Effect: Allow
    Action:
      - 's3:ListBucket'
      - 's3:GetObject'
    Resource:
      - 'arn:aws:s3:::input_bucket'
      - 'arn:aws:s3:::input_bucket/*'

FYI: I merged s3:ListBucket and s3:GetObject into one statement.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.