By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Use s3 object lambda from another lambda

0

I try to call a S3 Object lambda from a lambda. I use cdk to deploy the stack.

When I the aws cli with aws s3api get-object every thing works fine.

With following stack, the caller lambda gets everytime a Forbidden exception.

caller lambda

export const handler = async () => {
  const command = new GetObjectCommand({
    Bucket: process.env.BUCKET, 
    Key: `given_key`,
  });

  const result = await s3Client.send(command);
};

object lambda

export const handler = async (event: Event) => {
  const objectGetContext = event.getObjectContext;
  const requestRoute = objectGetContext.outputRoute;
  const requestToken = objectGetContext.outputToken;
  const url = event.userRequest.url;

  await s3.writeGetObjectResponse({
    Body: JSON.stringify({
      requestRoute,
      requestToken,
      url,
    }, null, 2),
    RequestRoute: requestRoute,
    RequestToken: requestToken,
  });

  return { statusCode: 200 };
};

cdk


const bucket = new Bucket(this, 'TemplateBucket', {
    blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
    autoDeleteObjects: true,
    removalPolicy: RemovalPolicy.DESTROY,
});

const handler = new Function(this, 'AccessPointHandler', {});

const accessPoint = new AccessPoint(this, 'ObjectLambda', {
    bucket: this.bucket,
    handler,
    accessPointName: 'creator-template-access-point',
    description: ' ',
    runtime: new lambda.Runtime('nodejs16.x', lambda.RuntimeFamily.NODEJS),
    handler: 'index.handler',
    code: lambda.Code.fromAsset(path.join(__dirname, 'given_path')),
});

const caller = new Function(this, 'CallerFunction', {
  environment: {
    BUCKET: accessPoint.accessPointArn,
  },
  description: ' ',
  runtime: new lambda.Runtime('nodejs16.x', lambda.RuntimeFamily.NODEJS),
  handler: 'index.handler',
  code: lambda.Code.fromAsset(path.join(__dirname, 'given_path')),
});
bucket.grantRead(lambda);

caller.role!.attachInlinePolicy(
  new Policy(this, 'policy', {
    statements: [new PolicyStatement({
        actions: [
        's3:GetBucket*',
        's3:GetObject*',
        's3:List*',
        ],
        resources: [
        `arn:aws:s3:${Stack.of(this).region}:${Stack.of(this).account}:accesspoint/${accessPoint.accessPointName}/object/*`,
        `arn:aws:s3:${Stack.of(this).region}:${Stack.of(this).account}:accesspoint/${accessPoint.accessPointName}/object`,
        ],
    })],
}));
Topics
ServerlessStorageCompute
Tags
ServerlessAmazon Simple Storage ServiceAWS Lambda
Language
English
Stefan
asked 6 months ago246 views
1 Answer
0

If the object lambda executes correctly when you use the CLI, then I would guess that the issue is within the (caller) Lambda execution role. Make sure that this role has the necessary privileges to call S3 (s3:GetObject, maybe more). It might also be that there's an issue in the access point policy, though looking at your code it looks like you're not using a such.

profile pictureAWS
Michael
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content