PermissionError Forbidden reading from s3 bucket from lambda function.

huangapple go评论67阅读模式
英文:

PermissionError Forbidden reading from s3 bucket from lambda function

问题

The problem you're encountering is related to permissions when running a Lambda function that uses a Docker image hosted on AWS Elastic Container Registry (ECR). You've made changes to the IAM policy, but you're still facing a PermissionError Forbidden issue.

问题与在运行使用托管在AWS Elastic Container Registry (ECR)上的Docker镜像的Lambda函数时的权限有关。您已对IAM策略进行了更改,但仍然面临PermissionError Forbidden问题。

Here are the key points from your provided information:

以下是您提供的信息中的关键点:

  1. When you deploy the Docker image to ECR and run your Lambda function, it returns a PermissionError Forbidden.

    当您将Docker镜像部署到ECR并运行Lambda函数时,它返回PermissionError Forbidden。

  2. You've modified the IAM policy, but it hasn't resolved the issue.

    您已修改了IAM策略,但问题仍未解决。

  3. You're unsure if the policy changes have taken effect, but it's been 15-20 minutes.

    您不确定策略更改是否生效,但已经过去了15-20分钟。

Given this information, it's possible that the policy changes might take a bit more time to propagate. However, if the issue persists, you may need to review your Lambda function and Docker image configuration, ensuring that the necessary permissions are correctly set for accessing the resources, such as the S3 bucket, within your Lambda function code.

根据这些信息,策略更改可能需要一些时间才能传播。但是,如果问题仍然存在,您可能需要检查Lambda函数和Docker镜像配置,确保正确设置了访问资源(例如Lambda函数代码内的S3存储桶)所需的权限。

Please double-check your resource ARNs in the policy and verify that they match the actual AWS resources you are trying to access.

请仔细检查策略中的资源ARN,并验证它们是否与您尝试访问的实际AWS资源匹配。

英文:

So the problem I'm encountering is that I built a docker image that will run an etl pipeline. When I run the image locally it works fine but when I deploy my image to ECR on AWS and I run my lambda function that uses this image it returns a PermissionError Forbidden. Here is the full stacktrace.

{
  "errorMessage": "Forbidden",
  "errorType": "PermissionError",
  "requestId": "ed12c997-d1f7-4cba-8eaf-66b88643271c",
  "stackTrace": [
    "  File \"/var/task/app.py\", line 10, in handler\n    main(now)\n",
    "  File \"/var/task/scraper_backend/jobs/__init__.py\", line 15, in main\n    df = transform.update_file(\n",
    "  File \"/var/task/scraper_backend/jobs/transform.py\", line 24, in update_file\n    df = read_file(path)\n",
    "  File \"/var/task/scraper_backend/jobs/transform.py\", line 15, in read_file\n    dataset = pq.ParquetDataset(f\"s3://{bucket}/{key}\", filesystem=fs)\n",
    "  File \"/var/lang/lib/python3.9/site-packages/pyarrow/parquet/core.py\", line 1763, in __new__\n    return _ParquetDatasetV2(\n",
    "  File \"/var/lang/lib/python3.9/site-packages/pyarrow/parquet/core.py\", line 2452, in __init__\n    finfo = filesystem.get_file_info(path_or_paths)\n",
    "  File \"pyarrow/_fs.pyx\", line 571, in pyarrow._fs.FileSystem.get_file_info\n",
    "  File \"pyarrow/error.pxi\", line 144, in pyarrow.lib.pyarrow_internal_check_status\n",
    "  File \"pyarrow/_fs.pyx\", line 1490, in pyarrow._fs._cb_get_file_info\n",
    "  File \"/var/lang/lib/python3.9/site-packages/pyarrow/fs.py\", line 330, in get_file_info\n    info = self.fs.info(path)\n",
    "  File \"/var/lang/lib/python3.9/site-packages/fsspec/asyn.py\", line 115, in wrapper\n    return sync(self.loop, func, *args, **kwargs)\n",
    "  File \"/var/lang/lib/python3.9/site-packages/fsspec/asyn.py\", line 100, in sync\n    raise return_result\n",
    "  File \"/var/lang/lib/python3.9/site-packages/fsspec/asyn.py\", line 55, in _runner\n    result[0] = await coro\n",
    "  File \"/var/lang/lib/python3.9/site-packages/s3fs/core.py\", line 1248, in _info\n    out = await self._call_s3(\n",
    "  File \"/var/lang/lib/python3.9/site-packages/s3fs/core.py\", line 348, in _call_s3\n    return await _error_wrapper(\n",
    "  File \"/var/lang/lib/python3.9/site-packages/s3fs/core.py\", line 140, in _error_wrapper\n    raise err\n"
  ]
}

So I firstly went to IAM console to change my permissions and the policy looks like this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my_bucket",
                "arn:aws:s3:::my_bucket/*"
            ]
        }
    ]
}

Also just tried this policy but this also didn't seem to fix my permission forbidden error

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::my_bucket"]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": ["arn:aws:s3:::my_bucket/*"]
        }
    ]
}

I'm not sure how long it takes for a policy to be in effect so maybe that is the problem, but it has been like 15-20 minutes so I doubt that that will be the problem. So if anyone has any idea what the problem could be any help is greatly appreciated.

答案1

得分: 2

For anyone encountering this permission forbidden error. This is likely because your lambda function has no rights to access your s3 bucket. What you need to do? See my other question and answer in this post https://stackoverflow.com/questions/76041868/is-it-possible-to-give-parameters-to-ecr-image-on-aws .

EDIT:

Like mentioned in the comments, this is what you need to do as referred to in the link above. You just need to attach the policy to access your s3 bucket to your execution role on your lambda function.
Your IAM policy could look like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET"
            ]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET/*"
            ]
        }
    ]
}

This depends on the rights you want to give to your s3 bucket (this one gives all rights to all files in my bucket). Now if your lambda function needs access to your s3 bucket, you need to add this policy to the execution role of your lambda function. You do this by going to your lambda function and finding your execution role. Then in the IAM center, go to your policy that you created (the policy above) and attach it to your execution role. I hope everyone who encounters this error can fix it like this.

英文:

For anyone encountering this permission forbidden error. This is likely becuase your lambda function has no rights to access your s3 bucket. What you need to do? See my other question and answer in this post https://stackoverflow.com/questions/76041868/is-it-possible-to-give-parameters-to-ecr-image-on-aws .

EDIT:

Like mentioned in the comments this is what you need to to as reffered in the link above. You just need to attach the policy to access your s3 bucket to your execution role on your lambda function.
Your IAM policy could look like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET"
            ]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET/*"
            ]
        }
    ]
}

This is depending on the rights you want to give to your s3 bucket (this one gives all rights to all files in my bucket). Now if your lambda function needs access to your s3 bucket you need to add this policy to the execution role of your lambda function. You do this by going to your lambda function and find your execution role. Then in the IAM center go to your policy that you created (the policy above) and attach it to your execution role. I hope everyone who encounters this error can fix it like this.

huangapple
  • 本文由 发表于 2023年4月17日 21:38:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/76035793.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定