Reading time·4 min
To grant a Lambda function access to an S3 Bucket, we have to attach an IAM policy to the function's execution role.
The policy should grant permissions for all the Actions
the function needs
to perform on the specified bucket.
For example, the following policy grants permission to upload objects to a specific S3 bucket.
YOUR_BUCKET
placeholder with your bucket's name.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET", "arn:aws:s3:::YOUR_BUCKET/*" ] } ] }
The permissions you have to grant your lambda function are use-case dependent.
"s3:*"
for the Action
element in the policy to grant full S3 access to the lambda function. However, it's best practice to grant an entity the least permissions that get the job done.You can view a full list of the s3 Actions
by visiting
the docs.
There is a Description
column that explains what each action does.
Most of the action names are intuitive, e.g. DeleteObject
, GetObject
,
PutObject
, etc.
To attach a policy to the lambda function's execution role:
Configuration
tab and then click Permissions
Click on the function's role
Click on Add Permissions
, then Attach policies
and click the
Create policy
button
In the JSON editor paste the following policy.
YOUR_BUCKET
placeholder and adjust the Actions
your lambda function needs to execute.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Put*", "s3:Get*", "s3:Delete*" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET/*" ] } ] }
Click Next: Tags
, then Next: Review
and give your policy a name, then
click Create policy
.
In the browser tab with the function's role, refresh the page to load the new
policy and filter by the policy's name
Click on the checkbox next to the policy and click Attach Policies
At this point, the lambda function's role has been extended with a policy that grants access to some S3 actions on a specific bucket.
Invoke your lambda function and verify whether it has access to the S3 bucket.
If your function is still unable to access S3, try to increase the function's
timeout
by a second in the AWS console, or simply add an extra print
statement in the code and click the Deploy
button.
If your lambda function still doesn't have access to the S3 bucket, expand the IAM policy you added to the function's role and edit it to look like the policy below.
YOUR_BUCKET
placeholder with the name of your S3 bucket.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET", "arn:aws:s3:::YOUR_BUCKET/*" ] } ] }
The IAM policy above grants full access to an S3 bucket, so your lambda function will be able to execute all S3 actions on the bucket.
*
symbol is useful when debugging.After you've updated the policy, try to invoke your lambda function again. It should have permission to execute any action on the S3 bucket.
You can make the IAM policy less permissive after you verify which actions your lambda needs to run.
Deny
effect will always override any Allow
statements.I've also written a tutorial on how to add permissions to Lambda functions in AWS CDK.
You can learn more about the related topics by checking out the following tutorials: