Access Denied using boto3 through aws Lambda
Omuthu's answer actually correctly identified my problem, but it didn't provide a solution so I thought I'd do that.
It's possible that when you setup your permissions in IAM you made something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::test"
]
}
]
}
Unfortunately, that's not correct. You need to apply the Object permissions to the objects in the bucket. So it has to look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::test"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::test/*"
]
}
]
}
Note the second ARN witht the /* at the end of it.
Adding to Amri's answer, if your bucket is private and you have the credentials to access it you can use the boto3.client:
import boto3
s3 = boto3.client('s3',aws_access_key_id='ACCESS_KEY',aws_secret_access_key='SECRET_KEY')
response = s3.get_object(Bucket='BUCKET', Key='KEY')
*For this file: s3://bucket/a/b/c/some.text, Bucket is 'bucket' and Key is 'a/b/c/some.text'
---EDIT---
You can easily change the script to accept keys as environment variables for instance so they are not hardcoded. I left it like this for simplicity
Possibility of the specific S3 object which you are looking for is having limited permissions
- S3 object level permission for read is denied
- The role attached to lambda does not have permission to get/read S3 objects
- If access granted using S3 bucket policy, verify read permissions are provided
I had a similar problem, I solved it by attaching the appropriate policy to my user.
IAM -> Users -> Username -> Permissions -> Attach policy.
Also make sure you add the correct access key and secret access key, you can do so using AmazonCLI.