0

S3 bucket in account A has below policy

sid:whitelistIp
Effect: Deny
Principal: *
Resource : 
   arn:aws:s3:::my-s3
   arn:aws:s3:::my-s3/*
Condition 
  NotIpaddress
     awsSourceIP
          [  list of Ips ]

  StringsNotEqual 
     awsourcevpce 
           [ List of VpceIds ]

Sid: DenyNonSSLTraffic
Effect: Deny
Principal: *
Resource : 
   arn:aws:s3:::my-s3
Condition 
  Bool
   "aws:secureTransport": "false"

Sid: AllowspecificIamRoles
Effect: Allow
Principal: *
Action:
   s3:ListBucket
   s3:DeleteObject
   s3:GetObject
   s3:PutObject
Resource : 
   arn:aws:s3:::my-s3
   arn:aws:s3:::my-s3/*
Condition:
StringsLike:
  awsuserId: [ List of userIds ]

Now from Account B I am trying to read objects from lambda function.

s3_client.list_objects() This methods works

But when i use s3_client.download_file() this gives me Access Denied error

I have verified Lambda has sufficient permissions to read from S3.

Also one Question if i give bucket policy do still i have to specify ACL for cross account access?

Improve this question
9
  • Please fix indentation in your code. Commented Oct 7, 2021 at 3:33
  • @Marcin There is no issue with indentation i cannot directly copy and hence cannot put the exact code.But the conditions are same. Commented Oct 7, 2021 at 3:34
  • Looks similar stackoverflow.com/q/33569045/495455 Commented Oct 7, 2021 at 3:40
  • @JeremyThompson I have verified answers given there but no luck.Also in my case s3_client.list_objects() method is working Commented Oct 7, 2021 at 4:04
  • Your question is not clear. There are many issues, such as there is no such thing as awssecureTransport. What exactly do you want to accomplish? Commented Oct 7, 2021 at 4:30

1 Answer 1

Reset to default
1

if your lambda function run into vpc then you have to create one endpoint to access s3

create s3 endpoint for vpc from vpc dashboard

select s3 gateway and attach your vpc

add endpoint routes to your route table.

Now you can read your s3 object.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is already done

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.