By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

An error occurred (403) when calling the HeadObject operation: Forbidden when downloading a file from S3 bucket

0

Error is when executing s3_client.download_file(bucket, key, local_tar_file) in a lambda function:

Here is the function in the lambda:

def download_incoming_file(bucket, key): logger.info(f'download_incoming_file... {bucket} - {key}') try: local_tar_file = '/tmp/' + os.path.basename(key)

    # Create S3 client with SSL enabled
    s3_client = boto3.client('s3',use_ssl=True)
    s3_client.download_file(bucket, key, local_tar_file)
    logger.info(f'downloaded incoming_file... {bucket} - {key} - {local_tar_file}')
except ClientError as e:
    error_message = f'Error downloading files to S3 bucket : {bucket} file : {key}; Error : {str(e)}'
    logger.error(error_message)
    raise ExtractionError(error_message)
return local_tar_file

here is the execution role policy looks like:

{ "Statement": [ { "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::abc-rrr-xxxx-yyyy-incoming", ] }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::abc-rrr-xxxx-yyyy-incoming/*" ] }, { "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Effect": "Allow", "Resource": [ "arn:aws:kms:ap-east-1:123123141241:key/b0sfdasdf-4dfb-489a-8abd-8358761e0f9b" ] }, ], "Version": "2012-10-17" }

Here is what i have for S3 bucket policy:

{ "Version": "2008-10-17", "Statement": [ { "Sid": "Deny Insecure Traffic", "Effect": "Deny", "Principal": "", "Action": "s3:", "Resource": "arn:aws:s3:::dchi-razor-prod-bishop-incoming/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }

I verified that bucket and key are correct, but not sure why I am getting this error: Can someone please point out what is the issue here?

  • Ganesh M
    10 days ago

    Can you share the actual error message, it helps to understand the issue.

Topics
StorageServerlessComputeSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS LambdaAWS Identity and Access ManagementIAM Policies
Language
English
Suresh
asked 10 days ago575 views
3 Answers
0

Hello.

What are the ACL settings for the target object?
The bucket policy and IAM policy seemed fine, so is it possible that the object ACL is preventing access?
https://repost.aws/knowledge-center/s3-bucket-owner-access
https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl

I don't think it matters much, but since the version of the bucket policy you are using is old, I think it would be better to set it to "2012-10-17" as shown below.
https://repost.aws/knowledge-center/s3-bucket-policy-for-config-rule

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSSLRequestsOnly",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      },
      "Principal": "*"
    }
  ]
}
profile picture
EXPERT
Riku_Kobayashi
answered 10 days ago
profile picture
EXPERT
Gary Mclean
reviewed 10 days ago
  • Gary Mclean EXPERT
    10 days ago

    To add... 2008-10-17. was an earlier version of the policy language. You might see this version on older existing policies. Do not use this version for any new policies or when you update any existing policies. Newer features, such as policy variables, will not work with your policy

  • Suresh
    7 days ago

    Here is ACL for the bucket:

    Grantee Bucket owner (your AWS account)

    Objects List, Write

    Bucket ACL Read, Write

    I modified the code to creat /tmp/downloads directory, and use it as local directory. Also modified the Bucket Policy to newer version.

    However, I still get the same error.

    Btw: This lambda function without the modification ( using /tmp/ for download directory and older version of bucket policy) is working in DEV env. I get the error only in when I deployed in PROD. I compared all the settings for the bucket and they are identical. Also I use the same Cloudformation script to create the S3 bucket.

0

As well as Riku's suggestion.

What do you have defined for local_tar_file ?

With lambda you can use /tmp to store the downloaded file. Any where else within the function is likely to fail due to not having write access

profile picture
EXPERT
Gary Mclean
answered 10 days ago
0

As your bucket config and IAM is proper, I believe the issue is with "local_tar_file = '/tmp/' + os.path.basename(key)" where you are trying write into lambda's file system.

Ganesh M
answered 10 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content