CODEWITHSUNDEEP
amazon-web-servicesamazon-s3aws-php-sdk
Joshua Foxworth
Joshua Foxworth

Reputation: 1397

AWS S3 Access Denied on delete

I have a bucket that I can write to with no problem. However, when I try to delete an object, I get an error ...

AccessDeniedException in NamespaceExceptionFactory.php line 91

Following the very basic example here, I came up with this command ...

$result = $s3->deleteObject(array(
                'Bucket' => $bucket,
                'Key'    => $keyname
            ));

I have tried variations of this based upon other tutorials and questions I have found.

$result = $s3->deleteObject(array(
                'Bucket' => $bucket,
                'Key'    => $keyname,
                'Content-Type'  => $contentType,
                'Content-Length' => 0
            ));

But everything produces the same error. Any suggestions?

Upvotes: 14

Views: 33501

Answers (3)

Crystyan S. Santos
Crystyan S. Santos

Reputation: 61

In My case, i enable MFA access. According AWS when MFA is activated is, to write in bucket, you will need a root access_key. Doing this, solved my problem.

More details here: https://repost.aws/knowledge-center/s3-bucket-mfa-delete

Upvotes: 0

Ravi Ramanujam
Ravi Ramanujam

Reputation: 221

It's quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes).

You can check if you really have access to the specific bucket actions, use the iam get-role-policy API to view the permissions you have for the role that you are using to try to delete. Here is an example:

$ aws iam get-role-policy --role-name <<your-role-name>> --policy-name <<your-policy-name>>

{
    "RoleName": "myrolename,
    "PolicyDocument": {
        "Version": "yyyy-mm-dd",
        "Statement": [
            {
                "Action": [
                    "s3:AbortMultipartUpload",
                    "s3:DeleteObject",
                    "s3:Get*",
                    "s3:List*",
                    "s3:ListBucket",
                    "s3:PutObject*"
                ],
                "Resource": [
                    "arn:aws:s3:::bucket1/*",
                    "arn:aws:s3:::bucket2/*"                ],
                "Effect": "Allow",
                "Sid": "yyyy"
            }
        ]
    },
    "PolicyName": "mypolicyname"
}

Most likely in your case, you may not have the "s3:DeleteObject" action for that resource (bucket/prefix)

Upvotes: 14

Ravi Ramanujam
Ravi Ramanujam

Reputation: 221

User may be able to create an object in a bucket doesn't necessarily imply that the same user can deleted the object that he/she may have created.

S3 permission can be granular at the resource level (bucket/prefix) where the action that your role can take could be one or many of the permissions (see: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html)

It looks like you are having s3:PutObject permission but not s3:DeleteObject.

Upvotes: 4

Related Questions