How do I allow my Lambda execution role to access my Amazon S3 bucket?

Last updated: 2020-06-11

I want my AWS Lambda function to be able to access my Amazon Simple Storage Service (Amazon S3) bucket. How can I do that?

Short Description

Follow these steps:

1.    Create an AWS Identity and Access Management (IAM) role for the Lambda function that also grants access to the S3 bucket.

2.    Set the IAM role as the Lambda function's execution role.

3.    Verify that the bucket policy grants access to the Lambda function's execution role.

Important: If the IAM role that you create for the Lambda function is in the same AWS account as the bucket, then you don't need to grant Amazon S3 permissions on both the IAM role and the bucket policy. Instead, you can grant the permissions on the IAM role and then verify that the bucket policy doesn't explicitly deny access to the Lambda function role. As an example, the following procedure grants Amazon S3 permissions on the IAM role. If the IAM role and the bucket are in different accounts, then you need to grant Amazon S3 permissions on both the IAM role and the bucket policy.

Resolution

Create an IAM role (execution role) for the Lambda function that also grants access to the S3 bucket

1.    Follow the steps to create a Lambda execution role in the IAM console.

2.    From the list of IAM roles, choose the role that you just created.

3.    In the Permissions tab, choose Add inline policy.

4.    Choose the JSON tab.

5.    Enter a policy that grants access to your S3 bucket. You can use a policy that's similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"
      ]
    }
  ]
}

6.    Choose Review policy.

7.    For Name, enter a name for your policy.

8.    Choose Create policy.

Set the IAM role as the Lambda function's execution role

1.    Open the Lambda console.

2.    Choose your Lambda function.

3.    Under Execution role, for Existing role, select the IAM role that you created.

4.    Choose Save.

Verify that the bucket policy grants access to the Lambda function's execution role

If your Lambda function's execution role (IAM role) is in the same AWS account as the bucket, then verify that the bucket policy doesn't explicitly deny access to the Lambda function or its execution role. As long as the bucket policy doesn't explicitly deny access, the Lambda function can access the bucket because of the permissions granted on its IAM role.

If your Lambda function's execution role and the bucket belong to different accounts, then you need to add a bucket policy that allows access to the bucket when the request is from the execution role. For this cross-account access, you need to grant the execution role the permissions to Amazon S3 on both its IAM policy and the bucket policy.

You can use a bucket policy that's similar to the following:

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:role/ExampleLambdaRoleFor123456789012"
        ]
      }
    }
  ]
}

Did this article help you?

Anything we could improve?


Need more help?