How do I allow my Lambda execution role to access my Amazon S3 bucket?

Last updated: 2021-07-20

I want my AWS Lambda function to be able to access my Amazon Simple Storage Service (Amazon S3) bucket. How can I do that?

Short description

To give your Lambda function access to an Amazon S3 bucket in the same AWS account, do the following:

1.    Create an AWS Identity and Access Management (IAM) role for the Lambda function that also grants access to the S3 bucket.

2.    Configure the IAM role as the Lambda function's execution role.

3.    Verify that the S3 bucket policy doesn't explicitly deny access to your Lambda function or its execution role.

Important: If your S3 bucket and the function's IAM role are in different accounts, then you must also grant the required permissions on the S3 bucket policy. For more information, see How can I provide cross-account access to objects that are in Amazon S3 buckets?

Resolution

Create an IAM role for the Lambda function that also grants access to the S3 bucket

1.    Follow the steps in Creating an execution role in the IAM console.

2.    From the list of IAM roles, choose the role that you just created.

3.    In the Permissions tab, choose Add inline policy.

4.    Choose the JSON tab.

5.    Enter a resource-based IAM policy that grants access to your S3 bucket. For more information, see Using resource-based policies for AWS Lambda.

IAM policy example that grants access to a specific S3 bucket

Important: Replace "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*" with your S3 bucket's Amazon Resource Name (ARN).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"
      ]
    }
  ]
}

6.    Choose Review policy.

7.    For Name, enter a name for your policy.

8.    Choose Create policy.

Configure the IAM role as the Lambda function's execution role

1.    Open the Lambda console.

2.    Choose your Lambda function.

3.    Under Execution role, for Existing role, select the IAM role that you created.

4.    Choose Save.

Verify that the S3 bucket policy doesn't explicitly deny access to your Lambda function or its execution role

To review or edit your S3 bucket policy, follow the instructions in Adding a bucket policy using the Amazon S3 console.

Important: If your S3 bucket and the function's IAM role are in different accounts, you must also explicitly grant the required permissions on the S3 bucket policy. For more information, see How can I provide cross-account access to objects that are in Amazon S3-buckets?

Example IAM S3 bucket policy that grants a Lambda execution role cross-account access to an S3 bucket

Important: Replace "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*" with your S3 bucket's ARN. Replace "arn:aws:iam::123456789012:role/ExampleLambdaRoleFor123456789012" with your Lambda execution role's ARN.

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:role/ExampleLambdaRoleFor123456789012"
        ]
      }
    }
  ]
}

Did this article help?


Do you need billing or technical support?