I have this serverless configuration file. The Lambda functions have access to S3 bucket.
When I deploy it on my AWS account it works perfectly fine. The csv files get downloaded to lambda function and processed as expected but when it’s deployed to another account, Lambda functions errors at downloading files from S3 bucket. I haven’t been able to figure out a reason for this.
I’ll be grateful if someone can point out what am I doing wrong here.
Also, The S3 bucket is created with Public permission. That also shouldn’t happen and I don’t know the reason why it creates a public S3 bucket.
service: eshot
plugins:
- serverless-step-functions
- serverless-pseudo-parameters
provider:
name: aws
runtime: go1.x
iamRoleStatements:
- Effect: Allow
Action:
- s3:getObject
- s3:putObject
- s3:putBucketPolicy
- states:startExecution
Resource: "*"
stage: ${opt:stage}
region: ${file(./config.yml):${opt:stage}.REGION}
environment:
ESHOT_UPLOADS_BUCKET: ${file(./config.yml):${opt:stage}.ESHOT_UPLOADS_BUCKET}
package:
exclude:
- ./**
include:
- ./eshot-send-notification
- ./eshot-process-records
- ./eshot-sfn-init
- ./eshot-cron-fn
- ./eshot-check-status
functions:
eshotCronFn:
handler: eshot-cron-fn
memorySize: 128
timeout: 600
events:
- schedule:
rate: cron(*/15 * * * ? *)
enabled: true
environment:
TOKEN: ${file(./config.yml):${opt:stage}.TOKEN}
BUCKET: ${file(./config.yml):${opt:stage}.ESHOT_UPLOADS_BUCKET}
ENDPOINT: ${file(./config.yml):${opt:stage}.ENDPOINT}
sfnInit:
handler: eshot-sfn-init
memorySize: 128
events:
- s3:
bucket: ${file(./config.yml):${opt:stage}.ESHOT_UPLOADS_BUCKET}
event: s3:ObjectCreated:*
timeout: 60
environment:
REGION: ${file(./config.yml):${opt:stage}.REGION}
STATE_MACHINE_ARN: "arn:aws:states:${file(./config.yml):${opt:stage}.REGION}:#{AWS::AccountId}:stateMachine:Eshot-${opt:stage}"
WEBHOOK: ${file(./config.yml):${opt:stage}.WEBHOOK}
processRecords:
handler: eshot-process-records
memorySize: 256
timeout: 300
environment:
TOKEN: ${file(./config.yml):${opt:stage}.TOKEN}
sendNotification:
handler: eshot-send-notification
memorySize: 128
timeout: 60
environment:
TOKEN: ${file(./config.yml):${opt:stage}.TOKEN}
WEBHOOK: ${file(./config.yml):${opt:stage}.WEBHOOK}
checkProgress:
handler: eshot-check-progress
memorySize: 128
timeout: 60
environment:
TOKEN: ${file(./config.yml):${opt:stage}.TOKEN}
stepFunctions:
stateMachines:
Eshot:
name: Eshot-${opt:stage}
definition:
StartAt: processRecords
States:
processRecords:
Type: Task
Resource: "arn:aws:lambda:${file(./config.yml):${opt:stage}.REGION}:#{AWS::AccountId}:function:${self:service}-${opt:stage}-processRecords"
Next: processRecordsStatus
processRecordsStatus:
Type: Choice
Choices:
- Variable: "$.status"
StringEquals: "Success"
Next: wait15Seconds
- Variable: "$.status"
StringEquals: "Failed"
Next: sendNotification
wait15Seconds:
Type: Wait
Seconds: 15
Next: checkProgress
checkProgress:
Type: Task
Resource: "arn:aws:lambda:${file(./config.yml):${opt:stage}.REGION}:#{AWS::AccountId}:function:${self:service}-${opt:stage}-checkProgress"
Next: jobStatus
jobStatus:
Type: Choice
Choices:
- Variable: "$.status"
StringEquals: "Success"
Next: sendNotification
- Variable: "$.status"
StringEquals: "Error"
Next: sendNotification
- Variable: "$.status"
StringEquals: "Waiting"
Next: wait15Seconds
sendNotification:
Type: Task
Resource: "arn:aws:lambda:${file(./config.yml):${opt:stage}.REGION}:#{AWS::AccountId}:function:${self:service}-${opt:stage}-sendNotification"
End: true
resources:
Resources:
EshotBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: ${file(./config.yml):${opt:stage}.ESHOT_UPLOADS_BUCKET}
PolicyDocument:
Statement:
- Action:
- s3:putObject
Effect: "Allow"
Principal: "*"
Resource:
- "arn:aws:s3:::${file(./config.yml):${opt:stage}.ESHOT_UPLOADS_BUCKET}/*.xls"
- "arn:aws:s3:::${file(./config.yml):${opt:stage}.ESHOT_UPLOADS_BUCKET}/*.csv"
- "arn:aws:s3:::${file(./config.yml):${opt:stage}.ESHOT_UPLOADS_BUCKET}/*.tsv"
- "arn:aws:s3:::${file(./config.yml):${opt:stage}.ESHOT_UPLOADS_BUCKET}/*.xlsx"