1

I've been all over the internet looking for a solution to this. I have been trying to setup an AWS Lambda function to send a message to SNS every time a file is uploaded to a particular S3 bucket, according to this tutorial. At this point, I have the function setup and I can invoke it successfully. However, when I attempt to connect the function to S3, I get an error stating An error occurred (InvalidArgument) when calling the PutBucketNotification operation: Unable to validate the following destination configurations. According to this article, I should be able to add a permission that will let S3 invoke the Lambda function, like this:

aws lambda add-permission \
    --function-name my-file-upload \
    --principal s3.amazonaws.com \
    --statement-id AcceptFromImport \
    --action "lambda:InvokeFunction" \
    --source-arn arn:aws:s3:::file-import \
    --source-account my_account_id

I did this, and noticed that the policy associated with the Lambda function updated and appeared to be correct. However, the error persists. I've looked at a similar question, here, but none of the solutions here worked.

Execution Role ARN: arn:aws:iam::my_account_id:role/lambda-upload-stream

Execution Role (lambda-upload-stream) trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Execution Role policy (my-file-upload):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AccessObject",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::file-import/*"
        },
        {
            "Sid": "SendUpdate",
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "arn:aws:sns:ap-northeast-1:my_account_id:comm-in"
        }
    ]
}

Lambda function ARN: arn:aws:lambda:ap-northeast-1:my_account_id:function:my-file-upload

Lambda function role document

{
  "roleName": "lambda-upload-stream",
  "policies": [
    {
      "name": "my-file-upload",
      "id": "AWS_ACCESS_KEY_ID",
      "type": "managed",
      "arn": "arn:aws:iam::my_account_id:policy/my-file-upload",
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "AccessObject",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::file-import/*"
          },
          {
            "Sid": "SendUpdate",
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "arn:aws:sns:ap-northeast-1:my_account_id:comm-in"
          }
        ]
      }
    }
  ],
  "resources": {
    "s3": {
      "service": {
        "name": "Amazon S3",
        "icon": "data:image/svg+xml;base64,very_long_base64_string1"
      },
      "statements": [
        {
          "resource": "arn:aws:s3:::file-import/*",
          "service": "s3",
          "effect": "Allow",
          "action": "s3:GetObject",
          "source": {
            "index": "AccessObject",
            "policyName": "my-file-upload",
            "policyType": "managed"
          }
        }
      ]
    },
    "sns": {
      "service": {
        "name": "Amazon SNS",
        "icon": "data:image/svg+xml;base64,very_long_base64_string2"
      },
      "statements": [
        {
          "resource": "arn:aws:sns:ap-northeast-1:my_account_id:comm-in",
          "service": "sns",
          "effect": "Allow",
          "action": "sns:Publish",
          "source": {
            "index": "SendUpdate",
            "policyName": "my-file-upload",
            "policyType": "managed"
          }
        }
      ]
    }
  },
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

Lambda function resource policy:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:ap-northeast-1:my_account_id:function:my-file-upload",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "my_account_id"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:::file-import"
        }
      }
    }
  ]
}

My question is: what am I doing wrong here and how do I fix it?

Improve this question
2
  • Why do you have three roles? These are for 3 different functions? What is " role document"? Where is it coming from? Its invalid IAM role or policy. Commented Jan 27, 2021 at 8:03
  • @Marcin The role document is what I get when I lookup the Lambda function on the AWS console, go to Permissions and click on Role Document Commented Jan 27, 2021 at 14:21

2 Answers 2

Reset to default
1

The thing you need to create is called a "Resource-based policy", and is what should be created by aws lambda add-permission.

A Resource-based policy gives S3 permission to invoke your lambda. This is a property on your lambda itself, and is not part of your lambda's IAM role (Your lambda's IAM role controls what your lambda can do, a Resource-based policy controls who can do what to your lambda. You can view this resource in the UI on the aws console by going to your lambda, clicking "Permissions" and scrolling down to "Resource-based policy". The keyword you want to look out for is lambda:InvokeFunction, which is what gives other things permission to call your lambda, including other AWS accounts, and other AWS services on your account (like s3).

That being said, the command you ran should have created this policy. Did you make sure to replace my_account_id with your actual account id when you ran the command?

In addition, make sure you replace --source-arn arn:aws:s3:::file-import with the actual ARN of your bucket (I assume you had to create a bucket with a different name because s3 buckets must have globally unique names, and file-import is almost surely already taken)

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Ah sorry, I forgot to include it in the question. It does exist.
As for your other pieces, yes I ran the add-permissions with my account ID and the actual ARN for the S3 bucket.
Hmm, that's odd, the document looks fine to me. I think maybe the 'account equals' condition is unnecessary when you are using an s3 bucket from your own account. I guess the next step would be double-checking that you didn't accidentally leave a placeholder string for your bucket/function/account id somewhere in the commands you ran
Could it be because I'm omitting possible versions or aliases from the lambda ARN in the resource policy?
0

I figured out what the problem was. My initial command was:

aws s3api put-bucket-notification --bucket azure-erp-import \
    --notification-configuration "CloudFunctionConfiguration={Id=file-uploaded,Events=[],Event=s3:ObjectCreated:*,CloudFunction=arn:aws:lambda:ap-northeast-1:my_account_id:function:my-file-upload,InvocationRole=arn:aws:iam::my_account_id:role/lambda-upload-stream}"

This failed because the arn:aws:iam::my_account_id:role/lambda-upload-stream role doesn't have permissions to call lambda:InvokeFunction on the lambda function. Removing this value fixed the error.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.