'Your access has been denied by S3, please make sure your request credentials have permission to GetObject for awsserverlessrepo

Lambda uses "Browse Serviceless Application Repository" to create an application when creating a function and shows no S3 permissions.

Here is how my Lambda creates a function to deploy the application:

enter image description here

The S3 area is in Ohio, and S3 is not open to the public. The S3 bucket policy is set as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "serverlessrepo.amazonaws.com"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::test/*"
    }
  ]
}

The error message is as follows:

Your access has been denied by S3, please make sure your request credentials
have permission to GetObject for awsserverlessrepo-changesets-
2oob4yq73km4n/712518399907/arn:aws:serverlessrepo:us-east-
2:712518399907:applications-beta-server-versions-
0.7.38216/xxxx-xxxx-xxxx-xxxx-xxxxxxxx. S3 Error Code: 
AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; 
Status Code: 403; Error Code: AccessDeniedException; Request ID: xxxxxxx
-xxxx-xxxx-xxxx-xxxx)

In my user policy, I have S3 permissions, how do I configure it?

aws-lambdaaws-serverless


Solution 1:[1]

I ran into exactly the same issue. May not be the same cause but I found that the IAM user I used to run sam deploy has an IPWhitelisting policy attached. Removing that policy resolved the issue.

Solution 2:[2]

I had the same issue using cloudformation, everything was ok from the S3 bucket policies and IAM users.

My problem was that my company has implemented a boundary ip policies that was not supposed to cause this error since i was executing my commands inside the company IP.

But, some AWS services internally will make another request from the internal AWS service IP, that will cause the deny.

Including the aws:ViaAWSService = False statement in my boundaryIP policy made it work again.

e.g

{
"Version": "2012-10-17",
"Statement": {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "NotIpAddress": {
            "aws:SourceIp": [
                "192.0.2.0/24",
                "203.0.113.0/24"
            ]
        },
        "Bool": {"aws:ViaAWSService": "false"}
    }
}

}

There is more details and this same example on this AWS doc below:

AWS: Denies access to AWS based on the source IP

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Ritaotao
Solution 2 nochimow

Related Questions

Choose Amazon S3 storage class using Laravel Filesystem

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

Why my cloudformation template is over 1 MB?

MemoryError zipfile in memory

Determine if an object exists in a S3 bucket based on wildcard

Trouble setting cache-cotrol header for Amazon S3 key using boto

Trouble setting cache-cotrol header for Amazon S3 key using boto

Connect Thumbor with AWS - s3

Logging to Amazon S3

Why is my access denied on s3 (using the aws-sdk for Node.js)?

Alluxio on kubernetes(EKS) supports s3 connection without aws accessKey and secretKey? Is the s3 connection configurable with role arn alone?

Uploading image to amazon s3 using multer-s3 nodejs

Reading file from s3 in pyspark using org.apache.hadoop:hadoop-aws

Load data from S3 into Aurora Serverless using AWS Glue

Apache Iceberg table format to ADLS / azure data lake