I want to use an AWS Lambda function to upload files to an Amazon Simple Storage Service (Amazon S3) bucket in another AWS account, but I'm getting an Access Denied error. How can I fix this?

You receive an Access Denied error when the permissions between the AWS Lambda function and the Amazon S3 bucket are incomplete or incorrect.

To set up the correct permissions between a Lambda function in one account (Account A) and an S3 bucket in another account (Account B), follow these steps:

  1. In Account A, create an AWS Identity and Access Management (IAM) role (execution role) for the Lambda function that allows the function to upload objects to Amazon S3.
  2. In Account B, update the bucket policy to allow the Lambda function to upload objects.

Before you begin, be sure that you've already created:

In Account A, create an IAM role (execution role) for the Lambda function that allows the function to upload objects to Amazon S3

1.    Create an IAM role for your Lambda function.

2.    Note the Amazon Resource Name (ARN) of the IAM role for a later step. One way to get the ARN is to run the AWS Command Line Interface (AWS CLI) command get-role.

3.    Attach a policy to the IAM role that grants the permission to upload objects (s3:PutObject) to the bucket in Account B. For example, this policy grants the role the permission to both s3:PutObject and s3:PutObjectAcl:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
  "s3:PutObject",
  "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::AccountBBucketName/*"
        }
    ]
}

4.    Change the execution role of your Lambda function to the IAM role that you created. You can change the execution role by configuring the function's settings.

In Account B, update the bucket policy to allow the Lambda function to upload objects

Update the bucket policy so that it specifies the ARN of the Lambda function's IAM role (execution role) as a Principal that has access to the action s3:PutObject. You can use a bucket policy similar to the following:

Note: This policy also grants the execution role the permission to s3:PutObjectAcl.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountA:role/AccountARole"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::AccountBBucketName/*"
            ]
        }
    ]
}

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-01-16