amazon-web-services amazon-s3 aws-lambda terraform terraform-provider-aws

Lambda CreateFunction returns HTTP 400 while accessing Private S3 Bucket with S3 Error Code: NoSuchBucket

I have a private s3 bucket will all public access blocked and the below policy attached to allow it to be accessed by Lambda Function:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3BucketAllowLambda",
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
             },
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::<my-private-bucket>/*",
                "arn:aws:s3:::<my-private-bucket>"
            ]
        }
    ]
}

The private s3 Bucket has the Lambda code in Zip format.

I am trying to Create the Lambda Function using the uploaded Zip in the S3 bucket.

Below is the policy I attach to the Lambda Function:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LambdaS3AccessPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::<my-private-bucket>/*",
                "arn:aws:s3:::<my-private-bucket>"
            ]
        }
    ]
}

I am getting the error below while trying to Create my Lambda Function using the zip in the s3 bucket:

operation error Lambda: CreateFunction, https response error StatusCode: 400, RequestID: <snipped>, InvalidParameterValueException: Error occurred while GetObject. S3 Error Code: NoSuchBucket. S3 Error Message: The specified bucket does not exist with aws_lambda_function.this[0], on main.tf <snipped>, in resource "aws_lambda_function" "this": <snipped>: resource "aws_lambda_function" "this" {

Note: I'm using the AWS Lambda Terraform module [1] for creating the Lambda Function.

Any suggestions on where I'm going wrong would be appreciated.

Thanks & Regards, Sana

[1] https://github.com/terraform-aws-modules/terraform-aws-lambda

Solution

The error you’re encountering suggests that the Lambda creation process cannot locate the S3 bucket specified in your configuration. and that doesn't have any relation with the Role, as the Lambda will consume the role after the creation not beforehand. the role itself isn’t directly involved in the deployment process of a Lambda function if the function’s code is being pulled directly from S3 during creation.

Confirm that the bucket ACL allowing read from the owner aws account:

The terraform-aws-lambda module doesn’t directly fetch the code from S3. Instead, it passes the s3_bucket and s3_key inputs to the aws_lambda_function resource under the hood, which triggers AWS Lambda to fetch the ZIP from the bucket during creation and again, this does not require any role and works perfectly with Private buckets as well.

and the best workaround to figure out the issue, is to manually try to create the lambda with the same path you wrote in terraform, this will help you to know better the issue.