I try to call a S3 Object lambda from a lambda.
I use cdk to deploy the stack.
When I the aws cli with aws s3api get-object
every thing works fine.
With following stack, the caller lambda gets everytime a Forbidden exception.
caller lambda
export const handler = async () => {
const command = new GetObjectCommand({
Bucket: process.env.BUCKET,
Key: `given_key`,
});
const result = await s3Client.send(command);
};
object lambda
export const handler = async (event: Event) => {
const objectGetContext = event.getObjectContext;
const requestRoute = objectGetContext.outputRoute;
const requestToken = objectGetContext.outputToken;
const url = event.userRequest.url;
await s3.writeGetObjectResponse({
Body: JSON.stringify({
requestRoute,
requestToken,
url,
}, null, 2),
RequestRoute: requestRoute,
RequestToken: requestToken,
});
return { statusCode: 200 };
};
cdk
const bucket = new Bucket(this, 'TemplateBucket', {
blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
autoDeleteObjects: true,
removalPolicy: RemovalPolicy.DESTROY,
});
const handler = new Function(this, 'AccessPointHandler', {});
const accessPoint = new AccessPoint(this, 'ObjectLambda', {
bucket: this.bucket,
handler,
accessPointName: 'creator-template-access-point',
description: ' ',
runtime: new lambda.Runtime('nodejs16.x', lambda.RuntimeFamily.NODEJS),
handler: 'index.handler',
code: lambda.Code.fromAsset(path.join(__dirname, 'given_path')),
});
const caller = new Function(this, 'CallerFunction', {
environment: {
BUCKET: accessPoint.accessPointArn,
},
description: ' ',
runtime: new lambda.Runtime('nodejs16.x', lambda.RuntimeFamily.NODEJS),
handler: 'index.handler',
code: lambda.Code.fromAsset(path.join(__dirname, 'given_path')),
});
bucket.grantRead(lambda);
caller.role!.attachInlinePolicy(
new Policy(this, 'policy', {
statements: [new PolicyStatement({
actions: [
's3:GetBucket*',
's3:GetObject*',
's3:List*',
],
resources: [
`arn:aws:s3:${Stack.of(this).region}:${Stack.of(this).account}:accesspoint/${accessPoint.accessPointName}/object/*`,
`arn:aws:s3:${Stack.of(this).region}:${Stack.of(this).account}:accesspoint/${accessPoint.accessPointName}/object`,
],
})],
}));