Closed radumas closed 5 years ago
So after a DuckDuckGo it seems like the problem might be with the S3 Bucket permissions, which is weird because the serverless function can put data in the bucket successfully. See this answer. Note that GetObject
permission and ListBucket
permission have to apply to separate "resources" because they apply to folders and buckets respectively (see here)
{
"Id": "Policy1553644832850",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1553644826660",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::ttcscraper/*",
"Principal": {
"AWS": [
"SERVERLESS_ARN"
]
}
},
{
"Sid": "Stmt1553644826661",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::ttcscraper",
"Principal": {
"AWS": [
"SERVERLESS_ARN"
]
}
}
]
}
I think the IAM Policy for the role created for lambda by serverless
might have a bug in it (the same list permission quirk as above).
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"arn:aws:logs:us-east-1:173861348325:log-group:/aws/lambda/prod-ttc_api-scrape:*",
"arn:aws:logs:us-east-1:173861348325:log-group:/aws/lambda/prod-consolidate:*"
],
"Effect": "Allow"
},
{
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:173861348325:log-group:/aws/lambda/prod-ttc_api-scrape:*:*",
"arn:aws:logs:us-east-1:173861348325:log-group:/aws/lambda/prod-consolidate:*:*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::ttcscraper/*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::ttcscraper",
"Effect": "Allow"
}
]
}
I think it might be something with the IAM user I configured, I got this from.... somewhere.