CODEWITHSUNDEEP
amazon-web-servicesamazon-s3
Dime
Dime

Reputation: 153

AWS s3 access denied for second identical bucket

In AWS S3 panel I have created bucket named the same as my account (eu-central-1). Using rest service, my user key and secret key, I have access to my first bucket, I send images via rest service, delete them, get them etc..

I have created second bucket (eu-central1) and chosen to take settings from the first one. Second bucket is not named as my account of course.

When I call list buckets I get 2 buckets, one is named same as my account name. This is the bucket that works.

Both of the buckets have blocked public access. So only way is to send images via rest service using signed headers.

Whatever I want to do with second bucket I get access denied.

But if i delete the second bucket and create new one in eu-easet-1 Than all works perfectly also for the second bucket. Why cant i have 2 buckets in same region

Upvotes: 0

Views: 1034

Answers (3)

Dime
Dime

Reputation: 153

Thank you all for helping me figure out S3 service in depth.

Just the note: I am using the root user. ID and secret key used in following examples are both root and later created user with full s3 privileges. Always the issue was the same.

In order to further research this problem I have created 6 buckets 24 hours before this comment.

  1. bucket name like account name EU (Frankfurt) eu-central-1
  2. random working bucket name EU (Frankfurt) eu-central-1
  3. random working bucket name EU (London) eu-west-2
  4. random working bucket name US East (N. Virginia) us-east-1
  5. random working bucket name US East (N. Virginia) us-east-1
  6. random working bucket name US East (Ohio) us-east-2

Numbers, 1,4,5,6 were working at the exact moment of creation. Numbers 2,3 were not. I was receiving access denied no meter what I tried to do with them (2 and 3). All the buckets were created in the same way with completely same settings

After 24 hours, today. I have tested access to all the buckets. No code alterations were done. Same code same functions, same tests. No bucket settings were changed in the admin panel of AWS S3. No new users were created. Everything was completely the same as it was 24 hours ago.

All the buckets were working today.

Upvotes: 0

dutoitns
dutoitns

Reputation: 2243

In the comments you said that you are encountering problems if your buckets are in different regions. When you integrate with S3 you must make sure your "client" is configured with the region of the S3 bucket.

For example in the Java SDK I get a S3Client as follows:

private static S3Client getClient(AwsCredentialsProvider awsAuth, Region awsRegion) {
    return S3Client.builder().credentialsProvider(awsAuth).region(awsRegion).build();
}

The Region method argument refers to the region in which the bucket is located. I then integrate with S3 using this region-aware S3Client-object. (It opens a connection to that AWS region)

In the comments I also mentioned IAM policies and that your access key needs the relevant access. Seems you got that sorted - I just want to clarify one thing I thought about afterwards and it might be useful to you on your AWS journey ahead.

You need the s3:putObject permission.

s3:putObjectAcl might be for more advanced use-cases - for example (there might be other examples) copying an S3 object to another account. Eg copying a file from an application on your primary AWS account to another where you manage data for analytics. Some reference material here with details on some headers that will need to accompany your PutObject-request.

Upvotes: 1

HIMANSHU GOYAL
HIMANSHU GOYAL

Reputation: 481

as @Nico mentioned in comments, You need to have something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": [
                         "arn:aws:s3:::bucket-one/*",
                         "arn:aws:s3:::bucket-two/*"
                        ]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": [
                         "arn:aws:s3:::bucket-one/*",
                         "arn:aws:s3:::bucket-two/*"
                        ]
        }
    ]
}

Reference Link

Upvotes: 1

Related Questions