I’m using AWS Elastic Transcoder, which is not available in their Govcloud region. When elastic transcoder completes, it sends the job to a Lambda function in us-east-1 that I’m managing with serverless. Ideally, I would like to move the file I generate with Elastic Transcoder to govcloud, however, I’m not able to set up access. I have a basic access setup in my serverless.yml that looks like this:
iamRoleStatements:
- Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "arn:aws:logs:*:*:*"
- Effect: "Allow"
Action:
- "s3:GetObject"
- "s3:PutObject"
Resource: "arn:aws:s3:::*"
- Effect: "Allow"
Action:
- "s3:PutObject"
Resource: "arn:aws-us-gov:s3:::*"
Basically, just to get this thing working I’d like to grant this lambda access to all of my govcloud buckets and I’ll lock it down from there.
When I go to deploy my Lambda I get an error message.
An error occurred while provisioning your stack: IamRoleLambdaExecution - Partition "aws-us-gov" is not valid for resource "arn:aws-us-gov:s3:::*"..
Any thoughts on how I can accomplish my goal here? Thanks!!