CODEWITHSUNDEEP
amazon-web-servicesamazon-s3aws-sdkaws-sdk-nodejs
jamesdeath123
jamesdeath123

Reputation: 4606

aws s3 can upload via cli and console but not nodejs sdk

The bucket is configured to have public access disabled, but with the following bucket policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1571348371588",
    "Statement": [
        {
            "Sid": "Stmt1571348370292",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::932534461852:user/test-user"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::test.test.com",
                "arn:aws:s3:::test.test.com/*"
            ]
        }
    ]
}

The IAM is also attached with this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::test.test.com"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:PutAccountPublicAccessBlock",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        }
    ]
}

The bucket's public access setting is:

Block all public access
On

    Block public access to buckets and objects granted through new access control lists (ACLs)
    On
    Block public access to buckets and objects granted through any access control lists (ACLs)
    On
    Block public access to buckets and objects granted through new public bucket policies
    On
    Block public and cross-account access to buckets and objects through any public bucket policies
    On

I have verified that the cli and the sdk are using the same access key and secret key, and I can use console and cli to upload files without problem, but when I try with node.js's aws-sdk: 2.551.0, I got access denied error.

Where can go wrong?

Upvotes: 0

Views: 605

Answers (1)

jarmod
jarmod

Reputation: 78823

The problem is likely to be that your Node.js client is using the wrong credentials, is targeting the wrong bucket, or is invoking an action not allowed in the IAM policy. You haven't provided any code so we can't validate the latter.

Also, you don't need to allow the IAM user in an S3 bucket policy if the IAM user's policy allows the necessary S3 actions/resources, so you can remove the bucket policy.

Upvotes: 1

Related Questions