CODEWITHSUNDEEP
amazon-web-servicesamazon-s3acl
Sue Metzger
Sue Metzger

Reputation: 11

AWS s3 Access Denied because of Ownership?

I have an AWS s3 bucket and a directory to which I have allowed other users to put files/objects. The directory is public. Using a 3rd party software (namely Alteryx), I am trying to get the objects. From this tool, I connect to AWS using my Access Key and secret. I can list the files in the directory but am only able to read files that I have created (not the files that others have put into the directory). I am guessing the problem is with ownership of the objects (the objects I own can be read, the files others own can not be read using my Access Key). Any suggestions on how I can programmatically change ownerhsip of the files?

My current bucket policy for the directory in question.

enter image description here

Upvotes: 1

Views: 3997

Answers (2)

Gujarat Santana
Gujarat Santana

Reputation: 10544

I am guessing the problem is with ownership of the objects

Yes, your guess is correct.

Any suggestions on how I can programmatically change ownerhsip of the files?

You can do that by getting all the objects from S3 bucket and set the acl to bucket-owner-full-control.

Please specify which programming language you are using. I'm assuming you can use python,if so please refer here

import boto3
s3 = boto3.resource('s3')
object = s3.Bucket('YOUR_BUCKET').Object('YOUR_OBJECT') 
// you can improve the code to list all the objects and iterate them
object.Acl().put(ACL='bucket-owner-full-control')

But Please note that you can only do this by using the other user's credentials that put the object to your S3 bucket. You cannot change the Object Acl using your own credentials.

Upvotes: 0

Sandeep Dudhraj
Sandeep Dudhraj

Reputation: 56

You are right. Since you are the bucket owner, not the object owner, you cannot access the objects owned by other users. However, in your S3 bucket policy, you have specified to grant full object access to bucket owner for PutObject action. It should have done the trick.

"Condition": {
    "StringEquals": {
        "s3:x-amz-acl": "bucket-owner-full-control"
    }
}

My best guess is it's because of Multipart Upload of files in your bucket, (upload large objects in parts) or moving objects from one bucket to another.

You can always ask the object owner to update the acl of the object using following command. 

aws s3api put-object-acl --bucket bucketname --key keyname --acl bucket-owner-full-control

I've linked my resource here.

Upvotes: 1

Related Questions