s3 get_object giving Access Denied for SSE-KMS Encrypted Object

Question

I am trying to get the s3 encrypted object in lambda function using following code, but i am getting Access denied error for Get Object.

s3 = boto3.client('s3')
response = s3.get_object(Bucket=bucket, Key=key)

I lambda has a assigned ole in which i have provided the kms policy.

{
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "kms:Decrypt",
            "kms:Encrypt"
        ],
        "Resource": "arn:aws:kms:ZONE:123456789012:key/ererwerwerwerer"
    }
{
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:GetObject",
        "Resource": "*"
    }

Can anyone suggest me what I am missing here

score 1 · Answer 1 · answered Oct 06 '21 at 10:37

1

You are missing policies for accessing the S3 and make sure you update the S3 Bucket to allow access for the Lambda function.

answered Oct 06 '21 at 10:37

Lejdi Prifti

183
6

I have added the policy for the S3 bucket object – Taufik Pirjade Oct 06 '21 at 10:44
What about the s3 Bucket Access Policy? – Lejdi Prifti Oct 06 '21 at 10:45
Updating the key policy solved my problem. Thanks for the hint though – Taufik Pirjade Oct 06 '21 at 11:10
You're welcome. I would appreciate if you could accept my answer. – Lejdi Prifti Oct 06 '21 at 12:46

score 0 · Accepted Answer · answered Oct 06 '21 at 11:11

I was missing the lambda function role from KMS key policy.

{
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::123456789012:role/xyz-lbz-lamda-role",
                "arn:aws:iam::123456789012:root"
            ]
        },
        "Action": "kms:*",
        "Resource": "*"
    }

s3 get_object giving Access Denied for SSE-KMS Encrypted Object

2 Answers2