Home > OS >  s3 get_object giving Access Denied for SSE-KMS Encrypted Object
s3 get_object giving Access Denied for SSE-KMS Encrypted Object

Time:10-06

I am trying to get the s3 encrypted object in lambda function using following code, but i am getting Access denied error for Get Object.

s3 = boto3.client('s3')
response = s3.get_object(Bucket=bucket, Key=key)

I lambda has a assigned ole in which i have provided the kms policy.

{
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "kms:Decrypt",
            "kms:Encrypt"
        ],
        "Resource": "arn:aws:kms:ZONE:123456789012:key/ererwerwerwerer"
    }
{
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:GetObject",
        "Resource": "*"
    }

Can anyone suggest me what I am missing here

CodePudding user response:

You are missing policies for accessing the S3 and make sure you update the S3 Bucket to allow access for the Lambda function.

CodePudding user response:

I was missing the lambda function role from KMS key policy.

{
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::123456789012:role/xyz-lbz-lamda-role",
                "arn:aws:iam::123456789012:root"
            ]
        },
        "Action": "kms:*",
        "Resource": "*"
    }
  • Related