Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I allow my Lambda function access to my Amazon S3 bucket?

4 minute read
1

I want my AWS Lambda function to access my Amazon Simple Storage Service (Amazon S3) bucket.

Short description

To give your Lambda function access to an Amazon S3 bucket in the same AWS account, complete the following steps:

  1. Create an AWS Identity and Access Management (IAM) role for the Lambda function that also grants access to the Amazon S3 bucket.
  2. Configure the IAM role as the Lambda function execution role.
  3. Verify that the Amazon S3 bucket policy doesn't explicitly deny access to your Lambda function or its execution role.

Important: If your Amazon S3 bucket and the function IAM role are in different accounts, then grant the required permissions on the Amazon S3 bucket policy. For more information, see How do I provide cross-account access to objects that are in Amazon S3 buckets?

Resolution

Create an IAM role for the Lambda function that also grants access to the Amazon S3 bucket

To create an IAM role for the Lambda function that also grants access to the Amazon S3 bucket, complete the following steps:

  1. Create an execution role in the IAM console.

  2. From the list of IAM roles, choose the role that you created.

  3. To configure the trust policy to allow Lambda to take on the execution role, add lambda.amazonaws.com as a trusted service. Choose the Trust relationships tab, then choose Edit trust policy.

  4. Replace the variables in the policy with the following variables:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
     "Effect": "Allow",
     "Principal": {
     "Service": "lambda.amazonaws.com"
    },
  "Action": "sts:AssumeRole"
  }
 ]
}

  5. Choose Update policy.

  6. In the Permissions tab, choose Add inline policy.

  7. Choose the JSON tab.

  8. Enter a resource-based IAM policy that grants access to the Amazon S3 bucket. For more information, see Using resource-based policies for Lambda. The following example IAM policy grants access to a specific Amazon S3 bucket with Get permissions. To access the objects inside the Amazon S3 bucket, specify the correct path, or use a wildcard character ("*"). For more information, see Writing IAM Policies: how to grant access to an Amazon S3 bucket.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

    Note: Replace "arn:aws:s3:::example-bucket" with your Amazon S3 bucket's Amazon Resource Name (ARN). If you encrypted the object with an AWS Key Management Service (AWS KMS) key, then you must also provide the necessary permissions. For more information, see How do I allow users to download from and upload to an Amazon S3 bucket that I encrypted with a customer managed AWS KMS key?

  9. Choose Review policy.

  10. For Name, enter a name for your policy.

  11. Choose Create policy.

Configure the IAM role as the Lambda function execution role

To configure the IAM role as the Lambda function execution role, complete the following steps:

  1. Open the Lambda console.
  2. Choose your Lambda function.
  3. Under Execution role, for Existing role, select the IAM role that you created.
  4. Choose Save.

Verify that the Amazon S3 bucket policy doesn't explicitly deny access to your Lambda function or its execution role

Use the Amazon S3 console to review your Amazon S3 bucket policy. Verify that your policy allows access to your Lambda function and its execution role.

The following example IAM policy grants a Lambda execution role cross-account access to an Amazon S3 bucket:

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::example-bucket/*"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:role/ExampleLambdaRoleFor123456789012"
        ]
      }
    }
  ]
}

Note: Replace "arn:aws:s3:::example-bucket" with your Amazon S3 bucket's ARN and "arn:aws:iam::123456789012:role/ExampleLambdaRoleFor123456789012" with your Lambda execution role's ARN.

Related information

AWS Policy Generator

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English

Related videos

Watch Francisco's video to learn more (3:40)
Watch Francisco's video to learn more (3:40)
AWS OFFICIALUpdated 2 months ago
5 Comments

This fails for me, even after repeating twice.

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
EXPERT
replied 2 years ago

Dear all,

I am able to setup the access from Lambda function to my S3 bucket following the guide above. I have additionally compiled steps with screenshots on how I did it in my blog post under the section "CONNECTING LAMBDA AND S3".

replied 2 years ago

Hi , anyone can help me, i did follow the steps, my lambda execution role still unable to access the S3 bucket,

my policy below:- { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "NotPrincipal": { "AWS": "arn:aws:iam::rolename" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucketname/*" } ] }

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 2 years ago

Relevant content