I want my AWS Lambda function to access my Amazon Simple Storage Service (Amazon S3) bucket.
Short description
To give your Lambda function access to an Amazon S3 bucket in the same AWS account, complete the following steps:
- Create an AWS Identity and Access Management (IAM) role for the Lambda function that also grants access to the S3 bucket.
- Configure the IAM role as the Lambda function execution role.
- Verify that the S3 bucket policy doesn't explicitly deny access to your Lambda function or its execution role.
Important: If your S3 bucket and the function IAM role are in different accounts, then grant the required permissions on the S3 bucket policy. For more information, see How do I provide cross-account access to objects that are in Amazon S3 buckets?
Resolution
Create an IAM role for the Lambda function that also grants access to the S3 bucket
To create an IAM role for the Lambda function that also grants access to the S3 bucket, complete the following steps:
-
Create an execution role in the IAM console.
-
From the list of IAM roles, choose the role that you created.
-
For the trust policy to allow Lambda to assume the execution role, add lambda.amazonaws.com as a trusted service. Choose the Trust relationships tab, then choose Edit trust policy.
-
Replace the variables in the policy with the following variables:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
-
Choose Update policy.
-
In the Permissions tab, choose Add inline policy.
-
Choose the JSON tab.
-
Enter a resource-based IAM policy that grants access to your S3 bucket. For more information, see Using resource-based policies for Lambda. The following example IAM policy grants access to a specific Amazon S3 bucket with Get permissions. To access the objects inside the Amazon S3 bucket, specify the correct path, or use a wildcard character ("*"). For more information, see Writing IAM Policies: how to grant access to an Amazon S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::EXAMPLE-BUCKET/*"
]
}
]
}
Note: Replace "arn:aws:s3:::EXAMPLE-BUCKET" with your S3 bucket's ARN. If the object is encrypted with an AWS Key Management Service (AWS KMS) key, then you must provide additional permissions. For more information, see My Amazon S3 bucket has default encryption using a custom AWS KMS key. How can I allow users to download from and upload to the bucket?
-
Choose Review policy.
-
For Name, enter a name for your policy.
-
Choose Create policy.
Configure the IAM role as the Lambda function execution role
To configure the IAM role as the Lambda function execution role, complete the following steps:
- Open the Lambda console.
- Choose your Lambda function.
- Under Execution role, for Existing role, select the IAM role that you created.
- Choose Save.
Verify that the S3 bucket policy doesn't explicitly deny access to your Lambda function or its execution role
To review or edit your S3 bucket policy, follow the instructions in Adding a bucket policy by using the Amazon S3 console.
The following example IAM policy grants a Lambda execution role cross-account access to an S3 bucket:
{
"Id": "ExamplePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::EXAMPLE-BUCKET/*"
],
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/ExampleLambdaRoleFor123456789012"
]
}
}
]
}
Note: Replace "arn:aws:s3:::EXAMPLE-BUCKET" with your S3 bucket's ARN and "arn:aws:iam::123456789012:role/ExampleLambdaRoleFor123456789012" with your Lambda execution role's ARN.
Related information
AWS Policy Generator