I am trying in an AWS lambda to get the bucket logging settings for my buckets. For this I enumerate the buckets with S3.listBuckets() - which works just fine. I then iterate over the bucket names like this (Typescript):

const bucketNames = await getBucketNames() // <- works without problems
for (const bucketName of bucketNames) {
    try {
        console.log(`get logging for bucket ${bucketName}`) // <-- getting to this log
        const bucketLogging: GetBucketLoggingOutput = await s3.getBucketLogging({
            Bucket: bucketName,
            ExpectedBucketOwner: accountId
        }).promise()

        // check logging setup and adjust if necessary
    } catch (error) {
        console.log(JSON.stringify(error))
    }
}

The call to getBucketLogging() fails

{
    "message": "Access Denied",
    "code": "AccessDenied",
    "region": null,
    "time": "2022-07-19T11:16:26.671Z",
    "requestId": "****",
    "extendedRequestId": "****",
    "statusCode": 403,
    "retryable": false,
    "retryDelay": 70.19937788683632
}

The accountId that is passed in is definitely right (it's optional anyway); the lambda is in the same account as the bucket owner (which is the sole condition described in the docs at https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#getBucketLogging-property).

When doing this call from a terminal CLI I have no problems to get results, only when running from a lambda.

What am I missing or overseeing?

CodePudding user response：

You should make sure to attach the respective IAM permissions to your lambda function. Just because you have the s3:ListBuckets role doesn't mean that it is also permitted to perform the same for the BucketLogging information. Please refer to the following docs for more details on S3 IAM actions: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html