How do I allow my Lambda execution role to access my Amazon S3 bucket?

Last updated: 2019-04-05

I want my AWS Lambda function to be able to access my Amazon Simple Storage Service (Amazon S3) bucket. How can I do that?

Short Description

Follow these steps:

1.    Create an AWS Identity and Access Management (IAM) role for the Lambda function that grants access to the S3 bucket.

2.    Modify the IAM role's trust policy.

3.    Set the IAM role as the Lambda function's execution role.

4.    Verify that the bucket policy grants access to the Lambda function's execution role.

Important: If the IAM role that you create for the Lambda function is in the same AWS account as the bucket, then you don't need to grant Amazon S3 permissions on both the IAM role and the bucket policy. Instead, you can grant the permissions on the IAM role and then verify that the bucket policy doesn't explicitly deny access to the Lambda function role. As an example, the following procedure grants Amazon S3 permissions on the IAM role. If the IAM role and the bucket are in different accounts, then you need to grant Amazon S3 permissions on both the IAM role and the bucket policy.

Resolution

Create an IAM role for the Lambda function that grants access to the S3 bucket

1.    Open the IAM console.

2.    From the navigation pane, choose Roles.

3.    Choose Create role.

4.    For AWS service, choose Lambda.

5.    Choose Next: Permissions.

6.    Choose Next: Tags.

7.    Choose Next: Review.

8.    For Role name, enter a name for the role.

9.    Choose Create role.

10.    From the list of IAM roles, choose the role that you just created.

12.    In the Permissions view, choose Add inline policy.

13.    Choose the JSON view.

14.    Enter a policy that grants access to your S3 bucket. You can use a policy that's similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
{
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::ExampleBucketName",
                "arn:aws:s3:::ExampleBucketName/*"
            ]
        }
    ]
}

15.    Choose Review policy.

16.    For Name, enter a name for your policy.

17.    Choose Create policy.

Modify the IAM role's trust policy

1.    From the IAM console, open the IAM role that you created.

2.    Choose the Trust relationships view.

3.    Choose Edit trust relationship.

4.    For the Policy Document, update the policy to allow the AWS account root user to assume the role. If the IAM role and bucket belong to the same account, you can use this policy that specifies the Amazon Resource Name (ARN) of the root account user as a principal entity:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root",
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]

If the IAM role and bucket belong to the different accounts, you can use this policy that specifies the ARNs of both root users as principal entities:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::123456789012:root",
                "arn:aws:iam::098765432109:root"],
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Set the IAM role as the Lambda function's execution role

1.    Open the Lambda console.

2.    Choose your Lambda function.

3.    Under Execution role, for Existing role, select the IAM role that you created.

4.    Choose Save.

Verify that the bucket policy grants access to the Lambda function's execution role

If your Lambda function's execution role (IAM role) is in the same AWS account as the bucket, then verify that the bucket policy doesn't explicitly deny access to the Lambda function or its execution role. As long as the bucket policy doesn't explicitly deny access, the Lambda function can access the bucket because of the permissions granted on its IAM role.

If your Lambda function's execution role and the bucket belong to different accounts, then you need to add a bucket policy that allows access to the bucket when the request is from the execution role. For this cross-account access, you need to grant the execution role the permissions to Amazon S3 on both its IAM policy and the bucket policy.

You can use a bucket policy that's similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/ExampleLambdaRoleFor123456789012"
            },
            "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::ExampleBucketName",
        "arn:aws:s3:::ExampleBucketName/*”
            ]
        }
    ]
}

Did this article help you?

Anything we could improve?


Need more help?