How to grant access to AWS resources

tforster · March 11, 2020, 7:38pm

I’ve been using SLS since 2017 and obviously missing something fundamental this entire time. The only way that my Lambdas can interact with S3 is if the S3 bucket is configured for public access. The iam role statements in serverless.yml control the Lambda, but that makes no sense if the world can see the bucket anyway.

This challenge is further compounded by the need to allow the Lambda to call an Amplify deploy API endpoint. AFAIK there is no way to make that public (which is actually a good thing).

My only recourse it seems is to deploy my Lambda, then look for the roles that were created and go into IAM, find those roles and change permissions on them. Is there not an easier way to do this?

tforster · March 11, 2020, 7:45pm

Well, actually, that does not work. Even adding full S3 access to the Lambda role yields “access denied” if the bucket is not public.

tforster · March 11, 2020, 9:05pm

I should stop doubting myself. My code was fine. Turns out --aws-profile was not being honoured in my call to sls offline. Changing to AWS_PROFILE=xxx sls offline works. This whole time I have been pulling out my hair thinking I have been misunderstanding how SLS works all these years.

I would like a do-over on the last 4 days please.

Topic		Replies	Views
How to harden S3? Serverless Framework	0	385	March 9, 2020
How to let a function access bucket Serverless Framework	3	3627	December 2, 2017
Accessing S3 Bucket from Lambda Access Denied Serverless Framework lambda	1	10256	June 18, 2018
Can't list S3 buckets despite having FullAccess? Serverless Framework lambda , security	2	4357	October 19, 2018
SLS not passing profile creds to AWS? Serverless Framework aws	2	1908	July 30, 2017

How to grant access to AWS resources

Related Topics