Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 bucket: Access denied #5288

Closed
derwaldgeist opened this issue Sep 11, 2018 · 7 comments
Closed

S3 bucket: Access denied #5288

derwaldgeist opened this issue Sep 11, 2018 · 7 comments

Comments

@derwaldgeist
Copy link

derwaldgeist commented Sep 11, 2018
edited

I am trying to save some data in an S3 bucket from an AWS Lambda function.

I've set up my serverless.yaml as described in the sample code, which means:

  • I enabled the iamRoleStatements section as is
  • I enabled the resources section and inserted my bucket name there

I can see that the bucket has been created in S3. But when I try to store a file to it, I'm getting an Access Denied error.

I assumed that the sample iamRoleStatements section would be enough to set-up the required rights for putting files into the bucket. Is there anything else that you have to do?

I also tried the configuration from this sample:
https://github.com/serverless/examples/blob/master/aws-node-fetch-file-and-store-in-s3/serverless.yml
But it also failed.
@Kristiyandz
Copy link

Hi,
What about the lambda function, can you share your code? Also make sure you pass the correct format of the path.
I had the same issue multiple times because of incorrect path.
Hope that helps.

@derwaldgeist
Copy link
Author

Hi @Kristiyandz Thanks for the reply. The function is too complex to share, it's an adapter between two Enterprise systems. What do you mean with "path"? I used the ARN of the bucket, as reported by AWS.

@derwaldgeist
Copy link
Author

BTW: I now called the lambda func via "invoke local", and it worked fine - the file has been stored in the bucket. However, if fails if the func is invoked from within the AWS environment.

@derwaldgeist
Copy link
Author

I've checked the permissions of the role set in IAM now. There is no permission for any S3 buckets, only for the cloudwatch logs. Funny enough, the func runs fine with invoke local.

@derwaldgeist
Copy link
Author

OK. It was my fault. The iamRoleStatements statement was not put under provider. Guess that's what you meant with "path". Sorry for bothering.

@diegoaguilar
Copy link

Just for reference to anyone running into this issue:

  • iamRoleStatements MUST be placed under provider property in serverless.yml
  • The keys used locally are NOT the same was the keys functions will use running once they get deployed

@mayupumi
Copy link

mayupumi commented May 9, 2019

Hi all. I still have same issue..
I run serverless create --template aws-nodejs and named it my-service.
Edited serverless.yml a little like

service: my-service
provider:
  name: aws
  runtime: nodejs8.10
  stage: dev
  region: ap-northeast-1
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:ListBucket"
      Resource: { "Fn::Join" : ["", ["arn:aws:s3:::", { "Ref" : "ServerlessDeploymentBucket" } ] ]  }
    - Effect: "Allow"
      Action:
        - "s3:PutObject"
      Resource:
        Fn::Join:
          - ""
          - - "arn:aws:s3:::"
            - "Ref" : "ServerlessDeploymentBucket"
            - "/*"
functions:
  hello:
    handler: handler.hello
resources:
 Resources:
   NewResource:
     Type: AWS::S3::Bucket
     Properties:
       BucketName: my-new-bucket
 Outputs:
    NewOutput:
      Description: "Description for the output"
      Value: "Some output value"

The handler.js is as is

'use strict';

module.exports.hello = async (event) => {
  return {
    statusCode: 200,
    body: JSON.stringify({
      message: 'Go Serverless v1.0! Your function executed successfully!',
      input: event,
    }, null, 2),
  };

  // Use this code if you don't use the http event with the LAMBDA-PROXY integration
  // return { message: 'Go Serverless v1.0! Your function executed successfully!', event };
};

When I run sls deploy, I get

C:\Users\user\workspace\serverless-test>sls deploy
Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Creating Stack...
Serverless: Checking Stack create progress...
....
Serverless: Operation failed!
Serverless: View the full error output: https://ap-northeast-1.console.aws.amazon.com/cloudformation/home?region=ap-northeast-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aap-northeast-1%3Axxxxxxxxxxxx%3Astack%2Fmy-service-dev%2F4a8d7ce0-71fa-11e9-9190-068e2b92c6b0

  Serverless Error ---------------------------------------

  An error occurred: ServerlessDeploymentBucket - API: s3:CreateBucket Access Denied.

  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Issues:        forum.serverless.com

  Your Environment Information ---------------------------
     OS:                     win32
     Node Version:           8.11.2
     Serverless Version:     1.41.1

My IAM role have "AdministratorAccess". I could create s3 bucket via awscli so I believe I have right access.
Does anyone know the problem?
As @diegoaguilar described the "key" is the problem? What is the difference between the local key and the keys functions use?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@diegoaguilar @derwaldgeist @Kristiyandz @mayupumi