Reputation: 2620
AWS S3 Bucket Permissions - Access Denied
I am trying to give myself permission to download existing files in an S3 bucket. I've modified the Bucket Policy, as follows:
{
"Sid": "someSID",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/AWSLogs/123123123123/*",
"Principal": {
"AWS": [
"arn:aws:iam::123123123123:user/myuid"
]
}
}
My understanding is that addition to the policy should give me full rights to "bucketname" for my account "myuid", including all files that are already in that bucket. However, I'm still getting Access Denied errors when I try to download any of those files via the link that comes up in the console.
Any thoughts?
Upvotes: 65
Views: 233952
Answers (15)
Reputation: 21946
If you're like me, and you've encountered this problem either because you work for an organization that has already set up the IAM policies before-hand, and/or you are sitting in for an AWS admin who is out on vacation and you can't figure out why a new user is getting this error, it may be because your organization has set up a policy to explicitly deny access.
Our particular organization has an AWS IAM policy called MFA-required-policy that has an "Effect": "Deny" on nearly all actions if "awsMultiFactorAuthPresent": "false". Situations similar to this would seem like a pretty common use case, so be sure to check for other existing policies that deny access!
Upvotes: 0
Reputation: 1
{
"Sid": "someSID",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/AWSLogs/123123123123/*",
"Principal": {
"AWS": [
"arn:aws:iam::123123123123:user/myuid"
]
}
Upvotes: 0
Reputation: 1493
Since the recent update you need to change it slightly. Here's the code I used which seems to work (at least for now).
Reason you need to do this: https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshoot-403-errors.html
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Stmt1350703615347",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::240479180938:user/YOURUSER"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::YOURBUCKET/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::240479180938:user/YOURUSER"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::YOURBUCKET",
"Condition": {}
}
]
}
Upvotes: 0
Reputation: 789
This can also happen if the encryption algorithm in the S3 parameters is missing. If bucket's default encryption is set to enabled, ex. Amazon S3-managed keys (SSE-S3), you need to pass ServerSideEncryption: "AES256"|"aws:kms"|string to your bucket's param.
const params = {
Bucket: BUCKET_NAME,
Body: content,
Key: fileKey,
ContentType: "audio/m4a",
ServerSideEncryption: "AES256" // Here ..
}
await S3.putObject(params).promise()
Upvotes: 1
Reputation: 4986
No one metioned MFA. For Amazon users who have enabled MFA, please use this:
aws s3 ls s3://bucket-name --profile mfa.
And prepare the profile mfa first by running
aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/user-name --token-code 928371 --duration 129600. (replace 123456789012, user-name and 928371).
Upvotes: 1
Reputation: 4718
Step 1
Click on your bucket name, and under the permissions tab, make sure that Block new public bucket policies is unchecked
Step 2
Then you can apply your bucket policy
Hope that helps
Upvotes: 53
Reputation: 31
If you have an encrypted bucket, you will need kms allowed.
Upvotes: 3
Reputation: 961
Giving public access to Bucket to add policy is NOT A RIGHT way. This exposes your bucket to public even for a short amount of time.
You will face this error even if you are admin access (Root user will not face it) According to aws documentation you have to add "PutBucketPolicy" to you IAM user.
So Simply add a S3 Policy to you IAM User as in below screenshot , mention your Bucket ARN for make it safer and you don't have to make you bucket public again.
Upvotes: 1
Reputation: 1291
Possible reason: if files have been put/copy by another AWS Account user then you can not access the file since still file owner is not you. The AWS account user who has been placed files in your directory has to grant access during a put or copy operation.
For a put operation, the object owner can run this command:
aws s3api put-object --bucket destination_awsexamplebucket --key dir-1/my_images.tar.bz2 --body my_images.tar.bz2 --acl bucket-owner-full-control
For a copy operation of a single object, the object owner can run one of these commands:
aws s3api copy-object --bucket destination_awsexammplebucket --key source_awsexamplebucket/myobject --acl bucket-owner-full-control
ref : AWS Link
Upvotes: 2
Reputation: 4651
for show website static in s3:
This is bucket policies:
{
"Version":"2012-10-17",
"Statement":[{
"Sid":"PublicReadGetObject",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::example-bucket/*"
]
}
]
}
Upvotes: 11
Reputation: 660
Go to this link and generate a Policy.
In the Principal field give *
In the Actions set the Get Objects
Give the ARN as arn:aws:s3:::<bucket_name>/*
Then add statement and then generate policy, you will get a JSON file and then just copy that file and paste it in the Bucket Policy.
For More Details go here.
Upvotes: -1
Reputation: 4041
Use below method for uploading any file for public readable form using TransferUtility in Android.
transferUtility.upload(String bucketName, String key, File file, CannedAccessControlList cannedAcl)
Example
transferUtility.upload("MY_BUCKET_NAME", "FileName", your_file, CannedAccessControlList.PublicRead);
Upvotes: 5
Reputation: 1617
To clarify: It is really not documented well, but you need two access statements.
In addition to your statement that allows actions to resource "arn:aws:s3:::bucketname/AWSLogs/123123123123/*", you also need a second statement that allows ListBucket to "arn:aws:s3:::bucketname", because internally the Aws client will try to list the bucket to determine it exists before doing its action.
With the second statement, it should look like:
"Statement": [
{
"Sid": "someSID",
"Action": "ActionThatYouMeantToAllow",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/AWSLogs/123123123123/*",
"Principal": {
"AWS": [
"arn:aws:iam::123123123123:user/myuid"
]
},
{
"Sid": "someOtherSID",
"Action": "ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname",
"Principal": {
"AWS": [
"arn:aws:iam::123123123123:user/myuid"
]
}
]
Note: If you're using IAM, skip the "Principal" part.
Upvotes: 3
Reputation: 6187
David, You are right but I found that, in addition to what bennie said below, you also have to grant view (or whatever access you want) to 'Authenticated Users'.
But a better solution might be to edit the user's policy to just grant access to the bucket:
{
"Statement": [
{
"Sid": "Stmt1350703615347",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {}
}
]
}
The first block grants all S3 permissions to all elements within the bucket. The second block grants list permission on the bucket itself.
Upvotes: 23
Reputation: 739
Change resource arn:aws:s3:::bucketname/AWSLogs/123123123123/* to arn:aws:s3:::bucketname/* to have full rights to bucketname
Upvotes: 11
Related Questions
- Access denied when accessing an AWS bucket
- Unable to grant an EC2 instance access to an Amazon S3 bucket
- Access denied on AWS s3 bucket even with bucket and/or user policy
- AWS IAM bucket permissions access denied
- Insufficient privileges for accessing data in S3 - AWS
- I get the error "Access denied" even though I own the bucket and have all perms
- AWS S3 Bucket policy Access Denyed
- AWS S3 Bucket Access Denied
- AWS bucket policy- permission denied
- Granting permissions to an Amazon S3 bucket