I want to deploy my nextjs application with the serverless cli, but I want to have my resources in eu-north-1. Im new to aws, but I have tried a bunch of things, even adding a policy that gives access to everything handling s3 buckets.
name: test-bucket
test-bucket:
component: '#sls-next/serverless-component#latest'
inputs:
bucketRegion: eu-north-1
policy: arn:aws:iam::<id>:policy/S3FullAccess
Related
I have a Netcore api code that includes retrieving and uploading files to aws S3. It works when I run it locally since I have saved IAM credentials locally in another folder. However, when I deploy it with aws lambda function and try to access S3 I get AmazonS3Exception "access denied". I'm wondering how can I setup access to IAM credentials remotely as I have done locally?
You should be assigning an IAM role as the Lambda function's execution role. Your code should be able to pick that up and use it automatically. If your code isn't picking that up automatically then edit your question to show the relevant code.
I am trying to setup an s3 event notification for an existing S3 bucket using aws cdk.
Below is the code.
bucket = s3.Bucket.from_bucket_name(self, "S3Bucket", f"some-{stack_settings.aws_account_id}")
bucket.add_event_notification(
s3.EventType.OBJECT_CREATED,
s3n.SqsDestination(queue),
s3.NotificationKeyFilter(
prefix="uploads/"
),
)
The stack creation fails and I am seeing below error on cloudformation console.
User: arn:aws:sts::<account>:assumed-role/some-cicd/i-8989898989xyz
is not authorized to perform: lambda:InvokeFunction on resource:
arn:aws:lambda:us-east-1:<account_number>:function:<some name>-a-BucketNotificationsHandl-b2kDmawsGjpL
because no identity-based policy allows the lambda:InvokeFunction action (Service: AWSLambda;
Status Code: 403; Error Code: AccessDeniedException; Request ID: c2d91744-416c-454d-a510-ff4cce061b80;
Proxy: null)
I am not sure what this lambda is. I am not trying to create any such lambda in my cdk app.
Does anyone know what is going on here and if there is anything wrong with my code ?
The ability to add notifications to an existing bucket is implemented with a custom resource - that is, a lambda that uses the AWS SDK to modify the bucket's settings.
CloudFormation invokes this lambda when creating this custom resource (also on update/delete).
If you would like details, here's the relevant github issue, you can see the commit that added the feature.
My Spring Boot application is going to be deployed on Openshift and from my application i need to download files from AWS S3 bucket on other n/w.
What is the best way to connect to S3 and get the files. I am trying to use AmazonS3 client. Do i need to do configurations at the openshift infra level? Is there any other way with which we can download the files?
This is my suggested method using IAM roles.
https://aws.amazon.com/blogs/compute/a-guide-to-locally-testing-containers-with-amazon-ecs-local-endpoints-and-docker-compose/
Scenario: Testing using Task IAM Role credentials
The endpoints container image can also vend credentials from an IAM Role; this allows you to test your application locally using a Task IAM Role.
NOTE: You should not use your production Task IAM Role locally. Instead, create a separate testing role, with equivalent permissions scoped to testing resources. Modifying the trust boundary of a production role will expand its scope.
In order to use a Task IAM Role locally, you must modify its trust policy. First, get the ARN of the IAM user defined by your default AWS CLI Profile (replace default with a different Profile name if needed):
aws --profile default sts get-caller-identity
Then modify your Task IAM Role so that its trust policy includes the following statement. You can find instructions for modifying IAM Roles in the IAM Documentation.
{
"Effect": "Allow",
"Principal": {
"AWS": <ARN of the user found with get-caller-identity>
},
"Action": "sts:AssumeRole"
}
To use your Task IAM Role in your docker compose file for local testing, simply change the value of the AWS container credentials relative URI environment variable on your application container:
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: "/role/"
For example, if your role is named ecs_task_role, then the environment variable should be set to "/role/ecs_task_role". That is all that is required; the ecs-local-endpoints container will now vend credentials obtained from assuming the task role. You can use this to validate that the permissions set on your Task IAM Role are sufficient to run your application.
I am deploying a project with the Serverless framework that includes different resources (a lambda function, cognito user pool, cognito identity pool, etc...)
For a previous project, we created from the console (so manually) the configuration for a second Api Gateway (in addition to the one that we configured with Serverless on the lambda) to just be the proxy for our s3 bucket, so we were able to add and get files from the bucket without using the lambda.
Now, I want to make the exact thing to this new project, but instead making the second Api Gateway manually from the console, there is a way to declare this proxy directly from Serverless configuration?
I searched for different solutions, but I didn't find any guide for this.
What I'm trying to make in the configuration is what this amazon guide explains.
You can use this plugin that allows setting up API Gateway service proxies very easily (I'm one of the collaborators).
serverless.yml example:
service: s3-proxy
provider:
name: aws
runtime: nodejs10.x
plugins:
- serverless-apigateway-service-proxy
custom:
apiGatewayServiceProxies:
- s3:
path: /s3/{key}
method: post
action: PutObject
bucket:
Ref: S3Bucket
key:
pathParam: key
cors: true
resources:
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
using the AWS CLI I'm trying to run
aws cloudformation create-stack --stack-name FullstackLambda --template-url https://s3-us-west-2.amazonaws.com/awsappsync/resources/lambda/LambdaCFTemplate.yam --capabilities CAPABILITY_NAMED_IAM --region us-west-2
but I get the error
An error occurred (ValidationError) when calling the CreateStack operation: S3 error: Access Denied
I have already set my credential with
aws configure
PS I got the create-stack command from the AppSync docs (https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html)
Looks like you accidentally skipped l letter at the end of template file name:
LambdaCFTemplate.yam -> LambdaCFTemplate.yaml
First make sure the S3 URL is correct. But since this is a 403, I doubt it's the case.
Yours could result from a few different scenarios.
1.If both APIs and IAM user are MFA protected, you have to generate temporary credentials using aws sts get-session-token and use it
2.Use a role to provide cloudformation read access to the template object in S3. First create a IAM role with read access to S3. Then create a parameter like below and ref it in resource properties IamInstanceProfile block
"InstanceProfile":{
"Description":"Instance Profile Name",
"Type":"String",
"Default":"iam-test-role"
}