amazon-s3aws-sdkserverlessaws-policies

AWS sdk s3 access denied

I have lambda managed by serverless. I described iamRoleStatements for full access to my s3 bucket from this lambda and it works normal for getting objects. But when I try to rename object from buckit (which is actualy copying + deletting), i'm getting error of aceess. Is there some aditional policies I need to describe?

provider:
  name: aws
  deploymentMethod: direct
  runtime: nodejs18.x
  stage: ${opt:stage, 'dev'}
  region: us-east-1
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
      Resource: [...arn]
    - Effect: "Allow"
      Action:
        - s3:*
        - s3-object-lambda:*
      Resource: arn:aws:s3:::[some_bucket_name]-dev

Here is my code for renaming (but it doesn't seem to be the problem here)

rename = async (requestParams: { oldKey: string, newKey: string }) => 
        await this._awsS3.copyObject(
            {
                                Bucket: this._bucketName
                CopySource: `${this._bucketName}/${requestParams.oldKey}`,
                Key: requestParams.newKey
            }
        ).promise();

        await this._awsS3.deleteObject(
            {
                                Bucket: this._bucketName
                Key: requestParams.oldKey
            }
        ).promise();

I researched docs about policies but everywhere s3:* describes like full acess to bucket functions. I don't know whiy it isn't covering deletting

I also double-checked that the bucket name is correct

Solution

  • You've granted access to the bucket but not the objects in the bucket.

    That's why you can't do any actions like renames or deletes, on any objects.

    The below should work. I've also removed granting access to s3-object-lambda: as it only works on a resource ARN starting with arn:aws:s3-object-lambda & not a regular bucket so it's not doing anything right now.

    provider:
  name: aws
  deploymentMethod: direct
  runtime: nodejs18.x
  stage: ${opt:stage, 'dev'}
  region: us-east-1
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
      Resource: [...arn]
    - Effect: "Allow"
      Action:
        - s3:*
      Resource:
        - arn:aws:s3:::[some_bucket_name]-dev
        - arn:aws:s3:::[some_bucket_name]-dev/*