1 Answer
- Newest
- Most votes
- Most comments
0
Hey, there! The most common reason for a NoSuchBucket
error is that the bucket name you're trying to access is incorrect or the bucket does not exist in the region you're specifying.
Here is some possible reason:
- Incorrect Bucket Name or Region
- Permission or Policy Issue
- Assumed Role Credentials Issue
To ensure the cross-account role setup is correct and allows for the intended actions, please follow these guidelines:
-
Roles Configuration Across Accounts:
- You need to have two roles: one in Account A (Lambda execution role) and another in Account B (
s3Role
).
- You need to have two roles: one in Account A (Lambda execution role) and another in Account B (
-
Role in Account A Configuration:
- The role in Account A should have permissions to assume another role. You must specify the ARN of the
s3Role
in Account B as a trusted entity in the trust policy of this role in Account A.
- The role in Account A should have permissions to assume another role. You must specify the ARN of the
-
Role in Account B Configuration (
s3Role
):- In Account B,
s3Role
must be configured with permissions to perform read, list, and put operations on the S3 bucket. - The trust policy of
s3Role
in Account B should include the ARN of the role in Account A, establishing trust and allowing the role in Account A to assumes3Role
.
- In Account B,
-
Permission Policy Details:
- Ensure that the permission policies attached to both roles are correctly defined to facilitate the cross-account access as intended.
I will provide an example to facilitate the diagnosis of the issue:
Account A (Lambda Execution Role)
Trusted Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "lambda.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
}
Permission Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-B-ID:role/s3Role"
}
]
}
Account B (s3Role for Accessing S3)
Trusted Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::ACCOUNT-A-ID:role/LambdaExecutionRole" },
"Action": "sts:AssumeRole"
}
]
}
Permission Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::YourBucketName",
"arn:aws:s3:::YourBucketName/*"
]
}
]
}
Please let me know if this help you to identify the issue, I will be waiting for any comment from you.
Relevant content
- Accepted Answerasked 5 years ago
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 6 months ago