How to Grant AWS Lambda Access to an S3 Bucket

avatar

Borislav Hadzhiev

Last updated: Jul 25, 2022

banner

Check out my new book

Grant AWS Lambda Access to an S3 Bucket #

In order to grant a Lambda function access to an S3 Bucket, we have to attach an IAM policy to the function's execution role. The policy should grant permissions for all the Actions the function needs to perform on the specified bucket.

For example, the following policy grants permissions to upload objects to a specific S3 bucket.

The policy applies to a specific bucket, so make sure to replace the YOUR_BUCKET placeholder with your bucket's name.
upload-object-to-s3.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET", "arn:aws:s3:::YOUR_BUCKET/*" ] } ] }

The permissions you have to grant your lambda function are use case dependent.

You could set "s3:*" for the Action element in the policy to grant full S3 access to the lambda function. However, it's best practice to grant an entity the least permissions that get the job done.

You can view a full list of the s3 Actions by visiting the docs.

There is a Description column that explains what each action does.

Most of the action names are intuitive, e.g. DeleteObject, GetObject, PutObject, etc.

To attach a policy to the lambda function's execution role, you have to:

  1. Open the AWS Lambda console and click on your function's name
  2. Click on the Configuration tab and then click Permissions

click on function role

  1. Click on the function's role

  2. Click on Add Permissions, then Attach policies and click the Create policy button

  3. In the JSON editor paste the following policy.

Replace the YOUR_BUCKET placeholder and adjust the Actions your lambda function needs to execute.
example-s3-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Put*", "s3:Get*", "s3:Delete*" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET/*" ] } ] }
  1. Click Next: Tags, then Next: Review and give your policy a name, then click Create policy.

  2. In the browser tab with the function's role, refresh the page to load in the new policy and filter by the policy's name filter by policy name

  3. Click on the checkbox next to the policy and click Attach Policies

At this point the lambda function's role has been extended with a policy that grants access to some S3 actions on a specific bucket.

It can take up to a minute until the IAM changes have been propagated and the policy is in effect.

Invoke your lambda function and verify whether it has access to the S3 bucket.

If your function is still unable to access S3, try to increase the function's timeout by a second in the AWS console, or simply add an extra print statement in the code and click the Deploy button.

If your lambda function still doesn't have access to the s3 bucket, expand the IAM policy you added to the function's role and edit it to look like the policy below.

edit policy

Replace the YOUR_BUCKET placeholder with the name of your S3 bucket.
s3-full-access.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET", "arn:aws:s3:::YOUR_BUCKET/*" ] } ] }

The IAM policy above grants full access to an S3 bucket, so your lambda function will be able to execute all S3 actions on the bucket.

It's best practice to grant the least possible permissions that enable you to get the job done, however the asterisk * symbol is useful when debugging.

After you've updated the policy, try to invoke your lambda function again. It should have permissions to execute any action on the S3 bucket.

You can make the IAM policy less permissive after you verify which actions your lambda needs to run.

Note that a policy statement with a Deny effect will always override any Allow statements.

Further Reading #

Use the search field on my Home Page to filter through my more than 3,000 articles.