1

Can anyone advise on this? I'm trying to access an S3 bucket from a lambda function. I have created the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow", 
          "Principal": {
              "Service": "lambda.amazonaws.com"
          }, 
          "Action": "sts:AssumeRole"
      }, 
      {
          "Effect": "Allow",
          "Action": [
              "s3:GetObject"
          ], 
          "Resource": [
              "arn:aws:s3:::{{ bucketName }}/*"
          ]
      }
  ]
}

But this doesn't seems to work. I have got a Assume Role Policy: MalformedPolicyDocument: Has prohibited field Resource.

We can't merge multiple access is the same policy?

amir
  • 331
  • 2
  • 9
  • 20

1 Answers1

3

you are mixing trust policy and permission policy in single. Can't merge these both.

there is difference in between these policies..

The assume role policy is the role's trust policy

trust policy : allowing the role to be assumed, not the role's permissions policy. Trust policies do not contain a resource element

role's permissions policy( access control policy): what permissions the role grants to the assuming entity.

Ravindra Bagale
  • 17,226
  • 9
  • 43
  • 70
  • Ahh thank you. So does that mean that I have to split and attach a policy on the bucket to allow access? So what is the best approach to allow lambda to access S3 bucket? – amir Dec 22 '20 at 16:50
  • @amir you should look at https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html#permissions-executionrole-api – LostJon Dec 22 '20 at 17:18
  • hi LostJon. Thank you for the page. I did read it. And I got the assumeRole trust policy from it. However, my point is how to add S3 bucket access? It's not included in the documentation you provided. Is it? – amir Dec 22 '20 at 18:05