aws-lambdaweb-deploymentzappapython-zappa

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied


I am trying to deploy my Django project on AWS lambda using Zappa. Here is my zappa_settings.json:

    {
    "dev": {
        "aws_region": "us-west-2",
        "django_settings": "<project_name>.settings",
        "profile_name": "zappa",
        "project_name": "<project_name>",
        "runtime": "python3.6",
        "s3_bucket": "<s3_bucket_name>",
        "timeout_seconds": 900,  // defaults is 30 seconds
        "manage_roles": false,
        "role_name": "ZappaDjangoRole",
        "role_arn": "arn:aws:iam::<account_id>:role/ZappaDjangoRole",
        "slim_handler": true
    }
}

I get the error

"botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied" 

Any idea what is causing it and how to fix this? My understanding is that Zappa zips the entire project and wants to upload it to AWS S3 bucket, but it is missing a permission when calling the CreateBucket operation. I do not understand where this permission should go.

Inside the IAM, I have created ZappaGroup which has permissions using ZappaUserGeneralPolicy and ZappaUserS3Policy:

my ZappaUserGeneralPolicy:

{
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
        "lambda:CreateFunction",
        "s3:ListAccessPointsForObjectLambda",
        "s3:GetAccessPoint",
        "lambda:ListVersionsByFunction",
        "logs:DescribeLogStreams",
        "route53:GetHostedZone",
        "events:PutRule",
        "s3:PutStorageLensConfiguration",
        "cloudformation:DescribeStackResource",
        "lambda:GetFunctionConfiguration",
        "iam:PutRolePolicy",
        "apigateway:DELETE",
        "events:ListRuleNamesByTarget",
        "apigateway:PATCH",
        "cloudformation:UpdateStack",
        "events:ListRules",
        "lambda:DeleteFunction",
        "events:RemoveTargets",
        "logs:FilterLogEvents",
        "apigateway:GET",
        "events:ListTargetsByRule",
        "cloudformation:ListStackResources",
        "iam:GetRole",
        "events:DescribeRule",
        "s3:PutAccountPublicAccessBlock",
        "s3:ListAccessPoints",
        "apigateway:PUT",
        "lambda:GetFunction",
        "s3:ListJobs",
        "route53:ListHostedZones",
        "route53:ChangeResourceRecordSets",
        "cloudformation:DescribeStacks",
        "s3:ListStorageLensConfigurations",
        "lambda:UpdateFunctionCode",
        "events:DeleteRule",
        "events:PutTargets",
        "s3:GetAccountPublicAccessBlock",
        "lambda:AddPermission",
        "s3:ListAllMyBuckets",
        "cloudformation:CreateStack",
        "cloudformation:DeleteStack",
        "lambda:*",
        "s3:CreateJob",
        "apigateway:POST"
    ],
    "Resource": "*"
    },
    {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": [
        "iam:PassRole",
        "s3:*"
    ],
    "Resource": [
        "arn:aws:s3:::<s3_bucket from zappa_settings.json>",
        "arn:aws:iam::<account_id>:role/ZappaDjangoRole"
    ]z
    }
]
}

Also, my ZappaUserS3Policy

    {
"Version": "2012-10-17",
"Statement": [
    {
    "Effect": "Allow",
    "Action": [
        "s3:ListBucket"
    ],
    "Resource": [
        "arn:aws:s3:::<s3_bucket from zappa_settings.json>"
    ]
    },
    {
    "Effect": "Allow",
    "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:PutObject",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts",
        "s3:ListBucketMultipartUploads"
    ],
    "Resource": [
        "arn:aws:s3:::<s3_bucket from zappa_settings.json>/*"
    ]
    }
]
}

And, my ZappaDjangoRole's Trust relationships:

   {
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "",
    "Effect": "Allow",
    "Principal": {
        "Service": [
        "events.amazonaws.com",
        "apigateway.amazonaws.com",
        "lambda.amazonaws.com"
        ]
    },
    "Action": "sts:AssumeRole"
    }
]
}

And, finally, here is my ZappaRolePolicy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunctionConfiguration",
                "lambda:UpdateFunctionConfiguration",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DetachNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ResetNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:*"
            ],
            "Resource": "arn:aws:kinesis:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:*"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": "arn:aws:sqs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:*"
            ],
            "Resource": "*"
        }
    ]
}

Solution

  • I got around this by adding the following permissions to the group my user belongs to:

    IAMFullAccess
    AmazonS3FullAccess
    AdministratorAccess
    

    My user also has AdministratorAccess permission. Looking around, I noticed all dev-ops people are complaining about similar issues and recommending giving full admin access to the user.