Sync from S3 bucket to local directory fails

Question

I want to download the whole bucket to a local directory. I tried:

aws s3 sync s3://my-bucket-name . --profile default

I got an authentication error:

download failed: s3://my-bucket-name/thumbnail.jpg to path to local/thumbnail.jpg A client error (Unknown) occurred when calling the GetObject operation: Unknown

I believe my IAM is configured correctly as it gives full access to S3 buckets. it works when I try another command, such as:

aws s3 ls

My inline policy for the IAM user is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::*"]
    }
  ]
}

Did I miss something in this setup?

Answer 1

You could use the following policy if you want to access via cli as well as web console and restrict the bucket to the user and some basic actions on it:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": "arn:aws:s3:::*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::YOURBUCKET"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject",
            "s3:ListObjects"
        ],
        "Resource": [
            "arn:aws:s3:::YOURBUCKET/*"
        ]
    }
]

}

Answer 2

There is issue in the policy. Change the policy to below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

If you want user to access just one bucket then use below policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::name-of-bucket/*"
    }
  ]
}