Accessing S3 Bucket from Lambda Access Denied

Hi everyone,
I´m quite new to S3 and IAM Roles in general.

I´m trying to access my S3 Bucket that I declared in my serverless.yml in my Lambda function. But I keep getting access denies.

This is my serverless.yml

provider:
  name: aws
  runtime: java8
  stage: dev
  region: eu-central-1
  memorySize: 1472
  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
        - s3:*
      Resource:
        - Fn::GetAtt:
            - Solution
            - Arn
        - Fn::GetAtt:
            - SolutionBucket
            - Arn

functions:
       s3test:
        handler: com.serverless.S3Test.S3Tester
        events:
          - http:
              path: s3test/{name}
              method: get

resources:
  Resources:
    Solution:
      Type: AWS::DynamoDB::Table
      DeletionPolicy: Retain
      Properties:
        AttributeDefinitions:
          - AttributeName: id
            AttributeType: S
        KeySchema:
          - AttributeName: id
            KeyType: HASH
        ProvisionedThroughput:
          ReadCapacityUnits: 1
          WriteCapacityUnits: 1
        TableName: "Solution"

    SolutionBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: pv-solutionbucket

And my functions looks like this in Kotlin :

val s3Client = AmazonS3ClientBuilder.standard().withRegion(Regions.EU_CENTRAL_1).build()
s3Client.putObject(bucketName, stringObjKeyName, "Uploaded String Object")
val request = PutObjectRequest(bucketName, fileObjKeyName, File(fileName))
val metadata = ObjectMetadata()
metadata.contentType = "plain/text"
metadata.addUserMetadata("x-amz-meta-title", "someTitle")
request.metadata = metadata
s3Client.putObject(request)

Any suggestion whats going wrong here ?

You have to grant “s3:PutObject” on the bucket you’ve created with “/*” at the end. Try something like this:

    - Effect: "Allow"
      Action:
        - "s3:PutObject"
      Resource:
        Fn::Join: ['', [Fn::GetAtt: [ SolutionBucket, Arn ], '/*'] ]
3 Likes