AccessDenied
cloud
auth_error
ai_generated
true
Lambda function not triggered by S3 event notification: 'AccessDenied' error in S3 bucket event configuration
ID: cloud/aws-lambda-s3-event-notification-missing
90%Fix Rate
88%Confidence
1Evidence
2023-04-10First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS Lambda (runtime: Node.js 18, Python 3.11) | active | — | — | — |
| AWS S3 (standard tier) | active | — | — | — |
| AWS CLI 2.15.0 | active | — | — | — |
Root Cause
The S3 bucket's event notification configuration does not have the correct permissions to invoke the Lambda function, typically because the Lambda resource-based policy is missing or the S3 service principal is not allowed.
generic中文
S3 存储桶的事件通知配置没有调用 Lambda 函数的正确权限,通常是因为缺少 Lambda 基于资源的策略或不允许 S3 服务主体。
Official Documentation
https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html#with-s3-example-create-permissionsWorkarounds
-
95% success Add a resource-based policy to the Lambda function using AWS CLI: 'aws lambda add-permission --function-name my-function --statement-id s3-invoke --principal s3.amazonaws.com --action lambda:InvokeFunction --source-arn arn:aws:s3:::my-bucket --source-account 123456789012'
Add a resource-based policy to the Lambda function using AWS CLI: 'aws lambda add-permission --function-name my-function --statement-id s3-invoke --principal s3.amazonaws.com --action lambda:InvokeFunction --source-arn arn:aws:s3:::my-bucket --source-account 123456789012'
-
85% success Use AWS CloudTrail to check the exact AccessDenied error: 'aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketNotificationConfiguration --region us-east-1' to see if the error is from S3 or Lambda.
Use AWS CloudTrail to check the exact AccessDenied error: 'aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketNotificationConfiguration --region us-east-1' to see if the error is from S3 or Lambda.
中文步骤
Add a resource-based policy to the Lambda function using AWS CLI: 'aws lambda add-permission --function-name my-function --statement-id s3-invoke --principal s3.amazonaws.com --action lambda:InvokeFunction --source-arn arn:aws:s3:::my-bucket --source-account 123456789012'
Use AWS CloudTrail to check the exact AccessDenied error: 'aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketNotificationConfiguration --region us-east-1' to see if the error is from S3 or Lambda.
Dead Ends
Common approaches that don't work:
-
90% fail
S3 bucket policies control access to the bucket itself, not who can invoke the Lambda function. The permission must be on the Lambda function's resource-based policy.
-
70% fail
Recreating the notification does not fix the underlying permission issue. The same error will occur if the Lambda policy is missing.