Reputation: 5738
AWS S3: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
I have an AWS account with read/write permissions as shown below:
I'd like to make it so that an IAM user can download files from an S3 bucket but I'm getting access denied when executing aws s3 sync s3://<bucket_name> . I have tried various things, but not to avail. Some steps that I did:
- Created a user called s3-full-access
- Executed
aws configurein my CLI and entered the generated access key id and secret access key for the above user - Created a bucket policy (shown below) that I'd hoped grants access for my user created in first step.
My bucket has a folder name AffectivaLogs in which files were being added anonymously by various users, and it seems like though the bucket is public, the folder inside it is not and I am not even able to make it public, and it leads to following error.
Following are the public access settings:
Update: I updated the bucket policy as follows, but it doesn't work.
Upvotes: 24
Views: 91369
Answers (3)
Reputation: 91
If you use KMS encryption enabled on bucket you should also add policy that allows you to decrypt data using KMS key.
Upvotes: 9
Reputation: 1648
You can configure the S3 policy with the required principal
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountId:user/*
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket"
},
{
"Sid": "GetObjects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountId:user/*
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
Or you can create IAM policy and attached it to the role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket"
},
{
"Sid": "GetObject",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
Upvotes: 2
Reputation: 269340
To test the situation, I did the following:
- Created an IAM User with no attached policies
- Created an Amazon S3 bucket
- Turned off S3 block public access settings:
- Block new public bucket policies
- Block public and cross-account access if bucket has public policies
- Added a Bucket Policy granting
s3:*access to the contents of the bucket for the IAM User
I then ran aws s3 sync and got Access Denied.
I then modified the policy to also permit access to the bucket itself:
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bucket"
],
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/stack-user"
]
}
}
]
}
This worked.
Bottom line: Also add permissions to access the bucket, in addition to the contents of the bucket. (I suspect it is because aws s3 sync requires listing of bucket contents, in addition to accessing the objects themselves.)
Upvotes: 14
Related Questions
- AWS CLI S3 A client error (403) occurred when calling the HeadObject operation: Forbidden
- Access denied when trying to do AWS s3 ls using AWS cli
- AWS - ClientError: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
- Access Denied when calling GetObject
- Amazon S3 ListObjectsV2 operation: Access Denied
- S3: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
- AWS s3 GetObject operation: Access Denied for public bucket
- s3api getobject permission denied
- s3 - An error occurred (403) when calling the HeadObject operation: Forbidden
- AWS S3 CLI:An error occurred (AllAccessDisabled) when calling the PutObject operation: All access to this object has been disabled