Search code examples
amazon-web-servicesaws-lambdaboto3serverless-framework

AccessDenied error message when calling aws s3 buckets from serverless lambda function with boto3

I'm building a Serverless application with Amazon AWS. I'am now testing boto3 to get lists of buckets from my aws s3 service. Although my IAM user has AdministratorAccess access, everytime I try to invoke my lambda function, it shows an error message. Could anyone help me please? Thanks for your attention. This is my error message

{
    "stackTrace": [
        [
            "/var/task/handler.py",
            9,
            "hello",
            "for bucket in s3.buckets.all():"
        ],
        [
            "/var/runtime/boto3/resources/collection.py",
            83,
            "__iter__",
            "for page in self.pages():"
        ],
        [
            "/var/runtime/boto3/resources/collection.py",
            161,
            "pages",
            "pages = [getattr(client, self._py_operation_name)(**params)]"
        ],
        [
            "/var/runtime/botocore/client.py",
            312,
            "_api_call",
            "return self._make_api_call(operation_name, kwargs)"
        ],
        [
            "/var/runtime/botocore/client.py",
            605,
            "_make_api_call",
            "raise error_class(parsed_response, operation_name)"
        ]
    ],
    "errorType": "ClientError",
    "errorMessage": "An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied"
}

Here is my lambda function,handler.py

import json
import boto3


def hello(event, context):

    s3 = boto3.resource('s3')

    for bucket in s3.buckets.all():
        print(bucket.name)



    body = {
        "message": "gg"
    }


    response = {
        "statusCode": 200,
        "body": json.dumps(body)
    }

    return response

Here is my serverless.yml file

# Welcome to Serverless!
#
# This file is the main config file for your service.
# It's very minimal at this point and uses default values.
# You can always add more config options for more control.
# We've included some commented out config examples here.
# Just uncomment any of them to get that config option.
#
# For full config options, check the docs:
#    docs.serverless.com
#
# Happy Coding!

service: serverless-boto3

# You can pin your service to only deploy with a specific Serverless version
# Check out our docs for more details
# frameworkVersion: "=X.X.X"

provider:
  name: aws
  runtime: python2.7

# you can overwrite defaults here
#  stage: dev
#  region: us-east-1

# you can add statements to the Lambda function's IAM Role here
#  iamRoleStatements:
#    - Effect: "Allow"
#      Action:
#        - "s3:ListBucket"
#      Resource: { "Fn::Join" : ["", ["arn:aws:s3:::", { "Ref" : "ServerlessDeploymentBucket" } ] ]  }
#    - Effect: "Allow"
#      Action:
#        - "s3:PutObject"
#      Resource:
#        Fn::Join:
#          - ""
#          - - "arn:aws:s3:::"
#            - "Ref" : "ServerlessDeploymentBucket"
#            - "/*"

# you can define service wide environment variables here
#  environment:
#    variable1: value1

# you can add packaging information here
#package:
#  include:
#    - include-me.py
#    - include-me-dir/**
#  exclude:
#    - exclude-me.py
#    - exclude-me-dir/**

functions:
  hello:
    handler: handler.hello

#    The following are a few example events you can configure
#    NOTE: Please make sure to change your handler code to work with those events
#    Check the event documentation for details
    events:
      - http:
          path: users/create
          method: get
#      - s3: ${env:BUCKET}
#      - schedule: rate(10 minutes)
#      - sns: greeter-topic
#      - stream: arn:aws:dynamodb:region:XXXXXX:table/foo/stream/1970-01-01T00:00:00.000
#      - alexaSkill
#      - alexaSmartHome: amzn1.ask.skill.xx-xx-xx-xx
#      - iot:
#          sql: "SELECT * FROM 'some_topic'"
#      - cloudwatchEvent:
#          event:
#            source:
#              - "aws.ec2"
#            detail-type:
#              - "EC2 Instance State-change Notification"
#            detail:
#              state:
#                - pending
#      - cloudwatchLog: '/aws/lambda/hello'
#      - cognitoUserPool:
#          pool: MyUserPool
#          trigger: PreSignUp

#    Define function environment variables here
#    environment:
#      variable2: value2

# you can add CloudFormation resource templates here
#resources:
#  Resources:
#    NewResource:
#      Type: AWS::S3::Bucket
#      Properties:
#        BucketName: my-new-bucket
#  Outputs:
#     NewOutput:
#       Description: "Description for the output"
#       Value: "Some output value"
Solution

  • In your serverless.yml you have not given the Lambda function any permissions to access S3. The examples in your template are commented out.

    Lambda functions use IAM roles for permissions to access AWS resources. In the Amazon Management Console, select your Lambda function. Scroll down and look for Execution role. This will show you what your template created for your function.

    Manage Permissions: Using an IAM Role (Execution Role)

    Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what AWS Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role:

    • If your Lambda function code accesses other AWS resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role.

    • If the event source is stream-based (Amazon Kinesis Streams and DynamoDB streams), AWS Lambda polls these streams on your behalf. AWS Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role.

    IAM Policies for AWS Lambda