s3cmd put failing with access denied

Question

I am trying to copy some files from my EC2 instance to S3 and using the following command

s3cmd put datafile s3://mybucket/datafile

and get the following error

ERROR: S3 error: Access Denied

I have the following IAM policy

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ec2:*",
            "s3:ListAllMyBuckets",
            "s3:ListBucket"
        ],
        "Resource": "*"
    }
]
}

S3 Bucket Policy for mybucket

{
"Version": "2008-10-17",
"Id": "backupPolicy",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::xxxxx:user/xxxx"
        },
        "Action": [
            "s3:ListBucket",
            "s3:PutObjectAcl",
            "s3:PutObject"
        ],
        "Resource": [
            "arn:aws:s3:::mybucket/*",
            "arn:aws:s3:::mybucket"
        ]
    }
]
}

I am not sure what I am doing wrong. s3cmd ls s3://mybucket works fine.

I tried searching on SO for this issue, but all the posts basically ask you to add the IAM policy, which I already have.

Answer 1

The user IAM policy needs the permissions to read/write, not (just) the bucket. AWS will always apply the more restrictive policies, and defaults to an implicit "deny".

I've found bucket policies are better suited for public access (ie. serving assets to the world), not restricting the principal. When you start combining bucket + user policies complications arise and it's often much easier to manage the user end.

Answer 2

I think you need to have write permissions for IAM in addition to List:

{
"Version": "2012-10-17",
"Statement": [
{
    "Effect": "Allow",
    "Action": [
        "ec2:*",
        "s3:ListAllMyBuckets",
        "s3:ListBucket"
    ],
    "Resource": "*"
},
{
  "Sid": "Stmt1406613887001",
  "Effect": "Allow",
  "Action": [
    "s3:*"
  ],
  "Resource": [
    "arn:aws:s3:::mybucket",
    "arn:aws:s3:::mybucket/*"
  ]
}
]
}