How to let a function access bucket

aaa · June 19, 2017, 8:06am

Hello, everyone

I have a question about connection between serverless frame work and S3.
For details, I want to give lambda function permission to access S3bucket and put object.

yml file is below.

provider:
name: aws
runtime: java8
iamRoleStatements:
- Effect: “Allow”
Action:
- “s3:"
Resource:
- "”
stage: dev
region: us-east-1
profile: xxx
deploymentBucket: ‘’
stackPolicy:

Effect: Allow
Principal: “"
Action: "Update:”
Resource: “*”

function:
xxx:
handler: com.xxx.handler
package:
artifact: xxxjar
events:
- s3: xxx

resources:
Resources:
audiofiles:
Type: AWS::S3::Bucket
Properties:
BucketName: xxx
AccessControl: PublicRead

When I run this code, error happened. Error message is below

An error occurred while provisioning your stack: already exists in stack arn:aws:cloudformation:us-east-xxxstack/popcorn-serverless-dev/xxx

I wrote stackpolicy and AccessControl in order to avoid the error. Why this code output error??

Please teach.

Best regards,

aaa

matt-filion · June 21, 2017, 6:44am

Your yml is not formatted, use ‘’’ before and after your yml snippet so it formats since formatting is critical with yml.

There is an example of how to specify an IAM policy for your function to access s3. Look at bullet point 2. I’m on mobile so I’ll include the answer inline later.

github.com

matt-filion/serverless-external-s3-event/blob/master/README.md

# Why?
Overcomes the CloudFormation limitation on attaching an event to an uncontrolled bucket, for Serverless.com 1.9+. See [this stackoverflow issue](http://serverfault.com/questions/610788/using-cloudformation-with-an-existing-s3-bucket) for more information.

The serverless deploy command (```sls deploy```) will trigger a check to ensure the buckets already exist before deployment.
Post successfull deployment, the bucket event will be attached.

The serverless remove command (```sls remove```) will remove the bucket event before removing the cloudformation stack

# How?

**1. NPM dependency**
_Looking to eliminate this step, as it will place the dependency within your deployed code._
```
> npm install serverless-external-s3-event
```

**Declare the plugin in your serverless.yml**
```serverless.yml

plugins:

This file has been truncated. show original

aaa · June 21, 2017, 8:41am

Dear matt

I am aaa.
Thank you very much for your helping.
Your comment is very great for me, because I wrote yml firstly,

I will try reading your link.

Best regards,

aaa

dlumma · December 2, 2017, 4:15pm

Hi Folks,

I tried this but seem to have a formatting issue. I’d like to grant read/write access to three existing buckets, new-image-bucket, baseline-image-bucket, delta-image-bucket. I’ve updated serverless.yml like so:

Bucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName:
          Fn::Join:
            - ""
            - - "arn:aws:s3:::new-image-bucket"
            - - "arn:aws:s3:::baseline-image-bucket"
            - - "arn:aws:s3:::delta-image-bucket"
            - - Ref: AWS::AccountId
              - "-"
              - Ref: AWS::Region
              - -chromeless

When I attempt to deploy, I get:

 The CloudFormation template is invalid: Template error: every Fn::Join object requires two parameters, (1) a string delimiter and (2) a list of strings to be joined or a function that returns a list of strings (such as Fn::GetAZs) to be joined.

Any pointers?

Thanks!
-Denali

Topic		Replies	Views
How to Add iamRoleStatements to S3 Trigger Bucket Serverless Framework aws	3	11837	September 7, 2017
Write a file to S3 Serverless Framework lambda	3	3492	May 7, 2019
Should buckets created by event specification have Read permissions? Serverless Framework aws	1	893	July 15, 2017
Lambda-function-public-access-prohibited Actions Serverless Framework	1	2328	October 12, 2020
Accessing S3 Bucket from Lambda Access Denied Serverless Framework lambda	1	10433	June 18, 2018

How to let a function access bucket

Related topics