0

I am following the aws lambda tutorial, currently at: https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html

  • Created role 'christopher-lambda-test'
  • Created bucket 'christopher-test-source'
    • Uploaded "happyface.jpg" to source bucket
  • Created bucket 'christopher-test-resized'
  • Installed Windows Subsystem for Linux using Ubuntu
  • sudo apt install python3
  • sudo apt install python3-pip
  • sudo pip install virtualenv
  • sudo apt install zip
  • virtualenv ~/shrink_venv
  • source ~/shrink_venv/bin/activate
  • pip install Pillow
  • pip install boto3
  • cd $VIRTUAL_ENV/lib/python3.6/site-packages
  • zip -r ~/CreateThumbnail.zip .
  • cp /mnt/c/Git-Workspace//create_thumbnail.py
  • ~/create_thumbnail.py
    • Not sure if how to use this particular zip program to get a file from a directory and put it in to root of zip
  • cd ~
  • zip -g CreateThumbnail.zip create_thumbnail.py

I did the next part in aws console, because I am not sure what the arguments were supposed to look like from the command line in the tutorial.

  • Created a lambda function
  • Code entry type - uploaded zip
  • Runtime - python 3.6
  • Handler - create_thumbnail.handler
  • Timeout - 30 sec
  • Execution role - Use existing - christopher-lambda-test
  • Created a test event, according to the tutorial

The role shows:

Permissions Tab:

  • AWSLambdaExecute policy
  • Permissions boundry not set

Trust relationships:

  • The identity provider(s) lambda.amazonaws.com
  • No conditions

Tags: Blank

Access Advisor:

  • Cloudwatch logs, AWSLambdaExecute
  • Amazon S3, AWSLambdaExecute

The test event looks like this:

{
  "Records": [
    {
      "eventVersion": "2.0",
      "eventSource": "aws:s3",
      "awsRegion": "us-west-2",
      "eventTime": "1970-01-01T00:00:00.000Z",
      "eventName": "ObjectCreated:Put",
      "userIdentity": {
        "principalId": "AIDAJDPLRKLG7UEXAMPLE"
      },
      "requestParameters": {
        "sourceIPAddress": "127.0.0.1"
      },
      "responseElements": {
        "x-amz-request-id": "C3D13FE58DE4C810",
        "x-amz-id-2": "FMyUVURIY8/IgAtTv8xRjskZQpcIZ9KG4V5Wp6S7S/JRWeUWerMUE5JgHvANOjpD"
      },
      "s3": {
        "s3SchemaVersion": "1.0",
        "configurationId": "testConfigRule",
        "bucket": {
          "name": "christopher-test-source",
          "ownerIdentity": {
            "principalId": "A3NL1KOZZKExample"
          },
          "arn": "arn:aws:s3:::christopher-test-source"
        },
        "object": {
          "key": "HappyFace.jpg",
          "size": 1024,
          "eTag": "d41d8cd98f00b204e9800998ecf8427e",
          "versionId": "096fKKXTRTtl3on89fVO.nfljtsv6qko"
        }
      }
    }
  ]
}

The role has the AWSLambdaExecute policy and if I click the json tab, it shows the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

When I try to run it via the test button in the console, I get the following error:

START RequestId: 11528d5a-e9f3-4b53-aef8-9b5a5934cd63 Version: $LATEST
An error occurred (403) when calling the HeadObject operation: Forbidden: ClientError
Traceback (most recent call last):
  File "/var/task/create_thumbnail.py", line 22, in handler
    s3_client.download_file(bucket, key, download_path)
  File "/var/task/boto3/s3/inject.py", line 172, in download_file
    extra_args=ExtraArgs, callback=Callback)
  File "/var/task/boto3/s3/transfer.py", line 307, in download_file
    future.result()
  File "/var/task/s3transfer/futures.py", line 106, in result
    return self._coordinator.result()
  File "/var/task/s3transfer/futures.py", line 265, in result
    raise self._exception
  File "/var/task/s3transfer/tasks.py", line 255, in _main
    self._submit(transfer_future=transfer_future, **kwargs)
  File "/var/task/s3transfer/download.py", line 345, in _submit
    **transfer_future.meta.call_args.extra_args
  File "/var/task/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/task/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden

END RequestId: 11528d5a-e9f3-4b53-aef8-9b5a5934cd63
REPORT RequestId: 11528d5a-e9f3-4b53-aef8-9b5a5934cd63  Duration: 467.98 ms Billed Duration: 500 ms Memory Size: 128 MB Max Memory Used: 79 MB  Init Duration: 335.18 ms    
XRAY TraceId: 1-5d801e11-ab1b32529b00e590684dfe16   SegmentId: 316a1aa70e80ba67 Sampled: false

I am pretty sure boto needs me to set my aws credentials, doesn't it? I am not sure how to do that in aws lambda. Or is this a different error?

Improve this question

1 Answer 1

Reset to default
1

You are using a role for executing lambda, which is the right way to do it. You don't need to use any credentials when you use AWS service to service communication and using service role is the correct way.

You have not shared your role definition but it seems that the role christopher-lambda-test does not have the the required permissions.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I thought I described all there was to describe for the role. I described the permissions tab, the trust relationships tab, tags, access advisor tab. What do I need to get a copy of and how do I get it?
the policy applied to your role in IAM
The policy is "AWSLambdaExecute", which has Cloudwatch Logs: List, Read, Write and S3: Read, Write with resource "Bucketname | string like | All"
I edited the original post to include the json it shows me if I click the policy.
hmm I got it to work by changing AWSExecuteLambda to AmazonS3FullAccess and AWSOpsWorksCloudWatchLogs. Saw it in a video in Google searched. Not sure why the original policy "AWSLambdaExecute" doesn't work. As far as I can tell, as a noob, it included read and write permissions to S3.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.