I'm trying to add tags to objects added in S3 for a particular Prefix.
{
"Records": [
.......... JUNK METADATA ..........
"s3": {
"s3SchemaVersion": "1.0",
"configurationId": "#####",
"bucket": {
"name": "testlambdatagging",
"ownerIdentity": {
"principalId": "#######"
},
"arn": "arn:aws:s3:::testlambdatagging"
},
"object": {
"key": "PREFIX/starshipBlack.png",
"size": 512822,
"eTag": "#########",
"sequencer": "#########"
}
}
}
]
}
So ideally, when I add "starshipBlack.png" @ testlambdatagging/PREFIX
in S3; the lambda function will be triggered and the tags for this file will be added.
But the problem is that I keep getting the following error when the lambda is triggered:
An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied
The code is failing at s3_cl.get_object_tagging
My code looks like this:
import boto3
import json
s3_cl = boto3.client('s3')
def lambda_handler(event, context):
try:
bucket_name = event["Records"][0]["s3"]["bucket"]["name"]
bucket_object = event["Records"][0]["s3"]["object"]["key"]
object_tags = s3_cl.get_object_tagging(
Bucket=bucket_name,
Key=bucket_object,
)
new_key = "newKey2"
new_value = "newValue2"
new_dict = {'Key' : new_key, 'Value' : new_value}
old_tags = object_tags['TagSet']
new_tags = old_tags
new_tags.append(new_dict)
put_tags_response = s3_cl.put_object_tagging(
Bucket=bucket_name,
Key=bucket_object,
Tagging={
'TagSet': new_tags
}
)
return
except Exception as e:
print(e)
raise e
return
My IAM Policy for the bucket is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:ListBucket",
"s3:PutObjectTagging",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::testlambdatagging/PREFIX",
"arn:aws:s3:::testlambdatagging/PREFIX/*"
]
}
]
}
Can someone please help me understand what am I missing?
I've read multiple solutions which say that I need to add "s3:GetObjectTagging"
to my IAM Policy which I have added.
question from:
https://stackoverflow.com/questions/65848622/when-calling-the-getobjecttagging-operation-access-denied 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…