2

I have a lambda function deployed as a container image. My lambda handler in the docker image is accessing my s3 bucket for downloading one or more files. When I invoke my lambda function locally using the boto3 lambda client, sometimes it works fine but sometimes it returns the error {'errorMessage' : 'An error occurred (Access Denied) when calling the ListObjects operation: Access Denied', 'errorType':'ClientError'}. The line of code it shows the error on is

s3 = boto3.resource('s3')
bucket = s3.Bucket(BUCKET_NAME)
for obj in bucket.objects.filter(Prefix=file_path) ---> this line

My bucket policy looks like this:

{
    "Version": "2012-10-17",
    "Id": "Policy1657874069007",
    "Statement": [
        {
            "Sid": "Stmt1657874045596",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<account_id>:role/service-role/<lambda_role_arn>"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<bucket_name>",
                "arn:aws:s3:::<bucket_name>/*"
            ]
        }
    ]
}

I have also given the s3FullAccess role to my lambda function. I just don't understand what's happening, what's annoying is that how sometimes it works fine but sometimes it just starts giving this error. Can someone point out what I am doing wrong? I am new to AWS. Also, if I run the lambda container image locally , this error doesn't occur at all.

nmnsharma007
  • 235
  • 3
  • 13
  • Are you sure your lambda (not shown) always uses exact same bucket? – Marcin Jul 16 '22 at 06:36
  • yes, I have declared the BUCKET_NAME variable at the top in the handler function itself. Its the same everytime – nmnsharma007 Jul 16 '22 at 06:38
  • can you post all role policies attached to your function? – Msvstl Jul 16 '22 at 07:21
  • There is just a lambda basic execution role(for pushing cloud watch logs) and a AmazonS3FullAccess role attached to the lambda – nmnsharma007 Jul 16 '22 at 07:27
  • 1
    Rather than using a Bucket Policy, it would be better to attach the S3 permissions to the IAM Role used by the Lambda function. It is strange that your access "works sometimes" -- it should either always work, or never work. – John Rotenstein Jul 16 '22 at 07:45
  • I mean I did give s3FullAccess , isn't that enough ? I agree its strange , that's why I am here – nmnsharma007 Jul 16 '22 at 07:54
  • If it works sometimes, then my guess is you have it configured to run in a VPC, but some subnets of the VPC you have it configured to use don't have access to a NAT Gateway or S3 VPC Endpoint. – Mark B Jul 16 '22 at 13:16
  • I didn't configure any VPC. I just deployed a container image, gave it s3FullAccess , gave a bucket policy to the bucket and started calling the function. – nmnsharma007 Jul 16 '22 at 13:37
  • @MarkB I think you were correct. Its some VPC related issue. Do you know how to fix it ? Since I didn't configure VPC and I am a beginner, I don't really know. – nmnsharma007 Jul 20 '22 at 05:12
  • If you didn't configure the Lambda to run in a VPC, then it's not a VPC related issue. – Mark B Jul 20 '22 at 12:30
  • Then i guess there's no hope for me :( . I don't get why it works every single time locally though. What's so different about using a deployed lambda image than a local lambda image. – nmnsharma007 Jul 21 '22 at 05:01

0 Answers0