How do I allow my Lambda function access to my Amazon S3 bucket?

4 minute read
1

I want my AWS Lambda function to access my Amazon Simple Storage Service (Amazon S3) bucket.

Short description

To give your Lambda function access to an Amazon S3 bucket in the same AWS account, complete the following steps:

  1. Create an AWS Identity and Access Management (IAM) role for the Lambda function that also grants access to the S3 bucket.
  2. Configure the IAM role as the Lambda function execution role.
  3. Verify that the S3 bucket policy doesn't explicitly deny access to your Lambda function or its execution role.

Important: If your S3 bucket and the function IAM role are in different accounts, then grant the required permissions on the S3 bucket policy. For more information, see How do I provide cross-account access to objects that are in Amazon S3 buckets?

Resolution

Create an IAM role for the Lambda function that also grants access to the S3 bucket

To create an IAM role for the Lambda function that also grants access to the S3 bucket, complete the following steps:

  1. Create an execution role in the IAM console.

  2. From the list of IAM roles, choose the role that you created.

  3. For the trust policy to allow Lambda to assume the execution role, add lambda.amazonaws.com as a trusted service. Choose the Trust relationships tab, then choose Edit trust policy.

  4. Replace the variables in the policy with the following variables:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
         "Effect": "Allow",
         "Principal": {
         "Service": "lambda.amazonaws.com"
        },
      "Action": "sts:AssumeRole"
      }
     ]
    }
  5. Choose Update policy.

  6. In the Permissions tab, choose Add inline policy.

  7. Choose the JSON tab.

  8. Enter a resource-based IAM policy that grants access to your S3 bucket. For more information, see Using resource-based policies for Lambda. The following example IAM policy grants access to a specific Amazon S3 bucket with Get permissions. To access the objects inside the Amazon S3 bucket, specify the correct path, or use a wildcard character ("*"). For more information, see Writing IAM Policies: how to grant access to an Amazon S3 bucket.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "ExampleStmt",
          "Action": [
            "s3:GetObject"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:s3:::EXAMPLE-BUCKET/*"
          ]
        }
      ]
    }

    Note: Replace "arn:aws:s3:::EXAMPLE-BUCKET" with your S3 bucket's ARN. If the object is encrypted with an AWS Key Management Service (AWS KMS) key, then you must provide additional permissions. For more information, see My Amazon S3 bucket has default encryption using a custom AWS KMS key. How can I allow users to download from and upload to the bucket?

  9. Choose Review policy.

  10. For Name, enter a name for your policy.

  11. Choose Create policy.

Configure the IAM role as the Lambda function execution role

To configure the IAM role as the Lambda function execution role, complete the following steps:

  1. Open the Lambda console.
  2. Choose your Lambda function.
  3. Under Execution role, for Existing role, select the IAM role that you created.
  4. Choose Save.

Verify that the S3 bucket policy doesn't explicitly deny access to your Lambda function or its execution role

To review or edit your S3 bucket policy, follow the instructions in Adding a bucket policy by using the Amazon S3 console.

The following example IAM policy grants a Lambda execution role cross-account access to an S3 bucket:

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::EXAMPLE-BUCKET/*"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:role/ExampleLambdaRoleFor123456789012"
        ]
      }
    }
  ]
}

Note: Replace "arn:aws:s3:::EXAMPLE-BUCKET" with your S3 bucket's ARN and "arn:aws:iam::123456789012:role/ExampleLambdaRoleFor123456789012" with your Lambda execution role's ARN.

Related information

AWS Policy Generator

AWS OFFICIAL
AWS OFFICIALUpdated a month ago
5 Comments

This fails for me, even after repeating twice.

Ted
replied 7 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 7 months ago

Dear all,

I am able to setup the access from Lambda function to my S3 bucket following the guide above. I have additionally compiled steps with screenshots on how I did it in my blog post under the section "CONNECTING LAMBDA AND S3".

profile picture
replied 6 months ago

Hi , anyone can help me, i did follow the steps, my lambda execution role still unable to access the S3 bucket,

my policy below:- { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "NotPrincipal": { "AWS": "arn:aws:iam::rolename" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucketname/*" } ] }

HQ_NG
replied 6 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 6 months ago