Configuring Amazon S3 Files access - AWS Lambda
Prerequisites and setupExecution role and user permissionsConnecting to a file system (console)
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

Configuring Amazon S3 Files access

Amazon S3 Files delivers a shared file system that connects any AWS compute resource directly with your data in Amazon S3. Amazon S3 Files provides access to your Amazon S3 objects as files using standard file system operations such as read and write on the local mount path. Learn more about Amazon S3 Files.

Prerequisites and setup

Before you set up Amazon S3 Files with your Lambda function, make sure you have the following:

  • An Amazon S3 file system and mount targets in available state in the same account and AWS Region as your Lambda function.

  • A Lambda function in the same VPC as the mount target. You must have a mount target in each subnet where your function is deployed.

  • Security groups that allow NFS traffic (port 2049) between your Lambda function and the mount targets. Learn more about configuring security groups.

For more information, see the following topics in the Amazon S3 User Guide:

Execution role and user permissions

Your function's execution role must have the following permissions to access an Amazon S3 Files file system:

Execution role permissions

  • s3files:ClientMount – Required to mount the file system.

  • s3files:ClientWrite – Required for read-write access. Not needed for read-only connections.

These permissions are included in the AmazonS3FilesClientReadWriteAccess managed policy. Additionally, your execution role must have the permissions required to connect to the file system's VPC.

Note

Amazon S3 Files optimizes throughput by reading directly from Amazon S3. Direct reads from Amazon S3 are supported only for functions configured with 512 MB or more of memory.

Your function also needs the following permissions to read directly from Amazon S3:

  • s3:GetObject

  • s3:GetObjectVersion

For more information about required permissions, see IAM permissions for Amazon S3 Files in the Amazon S3 User Guide.

When you configure a file system in the console, Lambda uses your permissions to verify mount targets and access points. To configure a function to connect to a file system, your user needs the following permissions:

User permissions

  • s3files:ListFileSystems

  • s3files:ListAccessPoints

  • s3files:GetFileSystem

  • s3files:GetAccessPoint

  • s3files:CreateAccessPoint – Needed if attaching the file system to the function from the console.

The following example policy grants your function's execution role permissions to mount an Amazon S3 file system with read-write access and read directly from Amazon S3.

{
    "Version": "2012-10-17", 
    "Statement": [
        {
            "Sid": "S3FilesLambdaAccess",
            "Effect": "Allow",
            "Action": [
                "s3files:ClientMount",
                "s3files:ClientWrite"
            ],
            "Resource": "*"
        },
        {
            "Sid": "S3DirectRead",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::bucket-name/*"
        },
        {
            "Sid": "S3FilesConsoleSetup",
            "Effect": "Allow",
            "Action": [
                "s3files:ListFileSystems",
                "s3files:ListAccessPoints",
                "s3files:GetFileSystem",
                "s3files:GetAccessPoint",
                "s3files:CreateAccessPoint"
            ],
            "Resource": "*"
        }
    ]
}

Connecting to a file system (console)

A function connects to a file system over the local network in a VPC. The subnets that your function connects to can be the same subnets that contain mount points for your file system, or subnets in the same Availability Zone that can route NFS traffic (port 2049) to the file system.

Note

If your function is not already connected to a VPC, see Giving Lambda functions access to resources in an Amazon VPC.

To configure S3 Files access

  1. Open the Functions page of the Lambda console.

  2. Choose a function.

  3. Choose Configuration, then choose File systems.

  4. Choose Add file system (or Edit to modify an existing configuration).

  5. Select S3 Files.

  6. Configure the following properties:

    • S3 file system – Choose a file system from the dropdown.

    • Access point (optional) – Choose an access point. If the file system has no access points, Lambda automatically creates one when you save (UID/GID 1000:1000, root directory /lambda, permissions 755). If access points exist, you must select one.

    • Local mount path – The location where the file system is mounted on the Lambda function, starting with /mnt/.

  7. Choose Save.

Your file system will be attached the next time you invoke your Lambda function.