'Your access has been denied by S3, please make sure your request credentials have permission to GetObject for awsserverlessrepo

Lambda uses "Browse Serviceless Application Repository" to create an application when creating a function and shows no S3 permissions.

Here is how my Lambda creates a function to deploy the application:

enter image description here

The S3 area is in Ohio, and S3 is not open to the public. The S3 bucket policy is set as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "serverlessrepo.amazonaws.com"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::test/*"
    }
  ]
}

The error message is as follows:

Your access has been denied by S3, please make sure your request credentials
have permission to GetObject for awsserverlessrepo-changesets-
2oob4yq73km4n/712518399907/arn:aws:serverlessrepo:us-east-
2:712518399907:applications-beta-server-versions-
0.7.38216/xxxx-xxxx-xxxx-xxxx-xxxxxxxx. S3 Error Code: 
AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; 
Status Code: 403; Error Code: AccessDeniedException; Request ID: xxxxxxx
-xxxx-xxxx-xxxx-xxxx)

In my user policy, I have S3 permissions, how do I configure it?



Solution 1:[1]

I ran into exactly the same issue. May not be the same cause but I found that the IAM user I used to run sam deploy has an IPWhitelisting policy attached. Removing that policy resolved the issue.

Solution 2:[2]

I had the same issue using cloudformation, everything was ok from the S3 bucket policies and IAM users.

My problem was that my company has implemented a boundary ip policies that was not supposed to cause this error since i was executing my commands inside the company IP.

But, some AWS services internally will make another request from the internal AWS service IP, that will cause the deny.

Including the aws:ViaAWSService = False statement in my boundaryIP policy made it work again.

e.g

{
"Version": "2012-10-17",
"Statement": {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "NotIpAddress": {
            "aws:SourceIp": [
                "192.0.2.0/24",
                "203.0.113.0/24"
            ]
        },
        "Bool": {"aws:ViaAWSService": "false"}
    }
}

}

There is more details and this same example on this AWS doc below:

AWS: Denies access to AWS based on the source IP

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Ritaotao
Solution 2 nochimow