2
3

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

Lambdaで"An error occurred (AccessDenied) when calling the GetObject operation: Access Denied"と言われてハマった

Posted at

#概要
LambdaにてS3の特定オブジェクトをダウンロードする操作をPython(boto3)で実行したが、Access Deniedと言われて実行できない。
実行ロールにAmazonS3FullAccessを付与するも同様の結果。

#実行内容

import json
import boto3

def lambda_handler(event, context):
    
    s3 = boto3.resource('s3')
    bucket = s3.Bucket('my-hoge-hoge-bucket')
    bucket.download_file('test.txt', 'fuga.txt')

#Lambdaで表示されるエラー

{
  "errorMessage": "An error occurred (AccessDenied) when calling the GetObject operation: Access Denied",
  "errorType": "ClientError",
  "stackTrace": [
    "  File \"/var/task/lambda_function.py\", line 11, in lambda_handler\n    bucket.download_file('test.txt', 'fuga.txt')\n",
    "  File \"/var/runtime/boto3/s3/inject.py\", line 244, in bucket_download_file\n    return self.meta.client.download_file(\n",
    "  File \"/var/runtime/boto3/s3/inject.py\", line 170, in download_file\n    return transfer.download_file(\n",
    "  File \"/var/runtime/boto3/s3/transfer.py\", line 307, in download_file\n    future.result()\n",
    "  File \"/var/runtime/s3transfer/futures.py\", line 106, in result\n    return self._coordinator.result()\n",
    "  File \"/var/runtime/s3transfer/futures.py\", line 265, in result\n    raise self._exception\n",
    "  File \"/var/runtime/s3transfer/tasks.py\", line 126, in __call__\n    return self._execute_main(kwargs)\n",
    "  File \"/var/runtime/s3transfer/tasks.py\", line 150, in _execute_main\n    return_value = self._main(**kwargs)\n",
    "  File \"/var/runtime/s3transfer/download.py\", line 511, in _main\n    response = client.get_object(\n",
    "  File \"/var/runtime/botocore/client.py\", line 357, in _api_call\n    return self._make_api_call(operation_name, kwargs)\n",
    "  File \"/var/runtime/botocore/client.py\", line 676, in _make_api_call\n    raise error_class(parsed_response, operation_name)\n"
  ]
}

#原因
KMSによるデフォルト暗号化が有効なバケットのオブジェクトを操作していた。

s3.png

#解決策
KMSにて、暗号化に使用しているキーのキーユーザーに対象となるLambdaの実行ロールを追加する。

スクリーンショット 2020-11-09 22.34.57.png

意図的にKMSでの暗号化を設定していると気付きますが、awsによって自動的に暗号化される(RDSのスナップショットなど)場合はなかなか気づけないですね。

2
3
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
2
3

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?