How to let a function access bucket

Hello, everyone

I have a question about connection between serverless frame work and S3.
For details, I want to give lambda function permission to access S3bucket and put object.

yml file is below.

provider:
name: aws
runtime: java8
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:"
Resource:
- "
"
stage: dev
region: us-east-1
profile: xxx
deploymentBucket: ''
stackPolicy:

  • Effect: Allow
    Principal: ""
    Action: "Update:
    "
    Resource: “*”

function:
xxx:
handler: com.xxx.handler
package:
artifact: xxxjar
events:
- s3: xxx

resources:
Resources:
audiofiles:
Type: AWS::S3::Bucket
Properties:
BucketName: xxx
AccessControl: PublicRead

When I run this code, error happened. Error message is below

An error occurred while provisioning your stack: already exists in stack arn:aws:cloudformation:us-east-xxxstack/popcorn-serverless-dev/xxx

I wrote stackpolicy and AccessControl in order to avoid the error. Why this code output error??

Please teach.

Best regards,

aaa

Your yml is not formatted, use ‘’’ before and after your yml snippet so it formats since formatting is critical with yml.

There is an example of how to specify an IAM policy for your function to access s3. Look at bullet point 2. I’m on mobile so I’ll include the answer inline later.

1 Like

Dear matt

I am aaa.
Thank you very much for your helping.
Your comment is very great for me, because I wrote yml firstly,

I will try reading your link.

Best regards,

aaa

Hi Folks,

I tried this but seem to have a formatting issue. I’d like to grant read/write access to three existing buckets, new-image-bucket, baseline-image-bucket, delta-image-bucket. I’ve updated serverless.yml like so:

Bucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName:
          Fn::Join:
            - ""
            - - "arn:aws:s3:::new-image-bucket"
            - - "arn:aws:s3:::baseline-image-bucket"
            - - "arn:aws:s3:::delta-image-bucket"
            - - Ref: AWS::AccountId
              - "-"
              - Ref: AWS::Region
              - -chromeless

When I attempt to deploy, I get:

 The CloudFormation template is invalid: Template error: every Fn::Join object requires two parameters, (1) a string delimiter and (2) a list of strings to be joined or a function that returns a list of strings (such as Fn::GetAZs) to be joined.

Any pointers?

Thanks!
-Denali