Getting error "Status code: 403, reason phrase: Forbidden for requestId ... in Alexa Developer Console in log, as well as Alexa saying I am having trouble connecting to the audio file U.R.I.. I gave my lambda function's role all policies to ReadOnly S3 and DynamoDb. In S3 object ownership is set to ACLs Disabled. All 5 block public access checkboxes are unchecked. I also deleted and readded bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "alexa-appkit.amazon.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::tempBucketName/*"
}
]
}
Also tried putting "Action": "s3:*", still didn't work.
Trying to visit path from S3 path directly gives me the error down below:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>RandomID</RequestId>
<HostId>RandomHostId</HostId>
</Error>
Honestly I spent majority of the day trying things, any advice would be good at this point.
If Alexa is successfully invoking your AWS Lambda function, but the Lambda function is having problems accessing content from Amazon S3, then you should:
Add a policy to the IAM Role that is assigned to the Lambda function
The policy should grant the Lambda function permission to access the s3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::tempBucketName/*"
}
]
}
You will not require:
A Bucket Policy on the bucket (since it is sufficient to add the permissions to the IAM Role used by the Lambda function)
Changes to 'Block Public Access' (since you don't need to make the bucket public or attach any policies to the bucket)
Changes to ACLs
You mention "I gave my lambda function's role all policies to ReadOnly S3", which should be sufficient for access. You should test this by manually invoking the Lambda function and coding the Lambda function to attempt to get an object from S3.
It is possible that the object being requested does not exist but is still giving an Access Denied error -- this happens if the entity does not have permission to list the contents of the bucket and is done to improve security (so bad actors can't discover whether particular objects exist). Check your code and verify that the object exists. You might want to add logging to the Lambda function to show the exact parameters it is using when attempting to access the object, then check the log files and confirm that this information is correct.