Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Use s3 object lambda from another lambda

0

I try to call a S3 Object lambda from a lambda. I use cdk to deploy the stack.

When I the aws cli with aws s3api get-object every thing works fine.

With following stack, the caller lambda gets everytime a Forbidden exception.

caller lambda

export const handler = async () => {
  const command = new GetObjectCommand({
    Bucket: process.env.BUCKET, 
    Key: `given_key`,
  });

  const result = await s3Client.send(command);
};

object lambda

export const handler = async (event: Event) => {
  const objectGetContext = event.getObjectContext;
  const requestRoute = objectGetContext.outputRoute;
  const requestToken = objectGetContext.outputToken;
  const url = event.userRequest.url;

  await s3.writeGetObjectResponse({
    Body: JSON.stringify({
      requestRoute,
      requestToken,
      url,
    }, null, 2),
    RequestRoute: requestRoute,
    RequestToken: requestToken,
  });

  return { statusCode: 200 };
};

cdk


const bucket = new Bucket(this, 'TemplateBucket', {
    blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
    autoDeleteObjects: true,
    removalPolicy: RemovalPolicy.DESTROY,
});

const handler = new Function(this, 'AccessPointHandler', {});

const accessPoint = new AccessPoint(this, 'ObjectLambda', {
    bucket: this.bucket,
    handler,
    accessPointName: 'creator-template-access-point',
    description: ' ',
    runtime: new lambda.Runtime('nodejs16.x', lambda.RuntimeFamily.NODEJS),
    handler: 'index.handler',
    code: lambda.Code.fromAsset(path.join(__dirname, 'given_path')),
});

const caller = new Function(this, 'CallerFunction', {
  environment: {
    BUCKET: accessPoint.accessPointArn,
  },
  description: ' ',
  runtime: new lambda.Runtime('nodejs16.x', lambda.RuntimeFamily.NODEJS),
  handler: 'index.handler',
  code: lambda.Code.fromAsset(path.join(__dirname, 'given_path')),
});
bucket.grantRead(lambda);

caller.role!.attachInlinePolicy(
  new Policy(this, 'policy', {
    statements: [new PolicyStatement({
        actions: [
        's3:GetBucket*',
        's3:GetObject*',
        's3:List*',
        ],
        resources: [
        `arn:aws:s3:${Stack.of(this).region}:${Stack.of(this).account}:accesspoint/${accessPoint.accessPointName}/object/*`,
        `arn:aws:s3:${Stack.of(this).region}:${Stack.of(this).account}:accesspoint/${accessPoint.accessPointName}/object`,
        ],
    })],
}));
Themen
ServerlosSpeicherKalkulation
Tags
ServerlosAmazon Simple Storage ServiceAWS Lambda
Sprache
English
Stefan
gefragt vor 6 Monaten257 Aufrufe
1 Antwort
0

If the object lambda executes correctly when you use the CLI, then I would guess that the issue is within the (caller) Lambda execution role. Make sure that this role has the necessary privileges to call S3 (s3:GetObject, maybe more). It might also be that there's an issue in the access point policy, though looking at your code it looks like you're not using a such.

profile pictureAWS
Michael
beantwortet vor 6 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt