How to grant access to AWS resources

I’ve been using SLS since 2017 and obviously missing something fundamental this entire time. The only way that my Lambdas can interact with S3 is if the S3 bucket is configured for public access. The iam role statements in serverless.yml control the Lambda, but that makes no sense if the world can see the bucket anyway.

This challenge is further compounded by the need to allow the Lambda to call an Amplify deploy API endpoint. AFAIK there is no way to make that public (which is actually a good thing).

My only recourse it seems is to deploy my Lambda, then look for the roles that were created and go into IAM, find those roles and change permissions on them. Is there not an easier way to do this?

1 Like

Well, actually, that does not work. Even adding full S3 access to the Lambda role yields “access denied” if the bucket is not public.

I should stop doubting myself. My code was fine. Turns out --aws-profile was not being honoured in my call to sls offline. Changing to AWS_PROFILE=xxx sls offline works. This whole time I have been pulling out my hair thinking I have been misunderstanding how SLS works all these years.

I would like a do-over on the last 4 days please.