I have a lambda function in a VPC in account A. The lambda is trying to delete an s3 object in account B. I created a VPC gateway endpoint in the VPC of account A.
I created a role in account A and added the policy below to it:
{
"Action": "s3:DeleteObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name-a/*"
},
I also added the policy below to the vpc endpoint:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111111:role/lambdaRoleA"
},
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::bucket-name-a/*"
}
]
}
I added the following policy to the s3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLambdaToDeleteS3Object",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111111:role/lambdaRoleA"
},
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
The lambda completes without an error, but when I check the bucket the object is still there.
However, when I change the policy in the vpc endpoint to Full access, the s3 object gets deleted.
I triple checked the spelling on everything, but can't seem to figure it out.
It appears that for gateway endpoints, the Principal element must be set to *. To specify the principal, you need to use the aws:PrincipalArn key like this:
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::1111111:role/lambdaRoleA"
}
}
Just needed to add this inside of of the Statement at the same level as Resource.
Found the answer in the AWS documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html
Tested it by added a different role initially - lambdaRoleB and the s3 object was not deleted. Later changed it to lambdaRoleA and the object was successfully deleted.