Tuesday, January 24, 2023

 Handler Errors and resolutions continued. 

This document is in continuation of the errors encountered and their resolutions for deployment of a function handler in the AWS cloud. The first part of the article is linked here. This is the second part. 

One of the troublesome errors encountered is ensuring that the handler can put objects in an S3 bucket. The error encountered is usually “403: Forbidden” and it defies even the bucket administrator and sound bucket policies. 

It might seem surprising that even an S3 bucket owner might not be able to effectively use bucket policies, but it is inherent to buckets they are created as private with deny access by default. Clearing this default before authoring new bucket policies is sometimes the only resolution even though the bucket owner might be an admin on the AWS account. If there is an error with read-write access to bucket, the following things might need to be checked to resolve the dreaded “403: Forbidden” error.   

  1. Permissions are missing for s3:PutObject to add an object or s3: PutObjectAcl to modify the object’s ACL. 

  1. The requestor might not have permission to use an AWS Key management service (AWS KMS) key 

  1. There is an explicit deny statement in the bucket policy 

  1. Amazon S3 Block Public Access is enabled. 

  1. The bucket access control lists don’t allow the AWS account root user to write objects. 

  1. The AWS organizations' service control policy doesn’t allow access to Amazon S3. 

 

One of the ways to resolve this error has been to clear the initial bucket policy. There are two ways to do this: 

 

First, sign in to the AWS management console as the root user which might be different from an administrator who has AmazonS3FullAccess privileges. Only the root user can take effective steps to delete the initial bucket policy from the user interface. That is why this step might not be an effective resolution for everyone. 

 

Second, use the command-line interface to specify the following command: 

Aws s3api delete-bucket-policy –bucket <bucketName> --debug 

And this will also succeed in clearing the initial bucket policy. 

No comments:

Post a Comment