CODEWITHSUNDEEP
amazon-s3amazon-iampolicy
user16393638
user16393638

Reputation: 73

I am getting s3 error: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

enter code heregetting: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

But I have a IAM policy set and using aws CLI with --profile that has the policy attached. IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-repository"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::my-repository/data/*"
        }
    ]
}

aws --profile my-repository s3 ls

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Upvotes: 7

Views: 14330

Answers (3)

user3207874
user3207874

Reputation: 3647

In my case, I was using attribute-based access control (ABAC) and I had accidentally set a condition that in order for a user to be able to do the s3:ListAllMyBuckets action, the resource must contain a specific tag.

{
  "Sid": "AllowInteractOnlyWithOwnTaggedResources",
  "Effect": "Deny",
  "Action": [
    "s3:ListAllMyBuckets"
  ],
  "Resource": "*",
  "Condition": {
    "StringNotEquals": {
      "aws:ResourceTag/access": "${aws:PrincipalTag/access}"
    }
  }
}

The resource tag condition doesn't work for the s3:ListAllMyBuckets action, and so AWS gave me an AccessDenied error.

The reason I was stumped by this is that the above policy was a service control policy (SCP), and yet I got a plain "AccessDenied" error when the action didn't work. Usually, when an action is denied by the SCP, you get an "AccessDenied with an explicit deny in a service control policy" error.

Upvotes: 1

user16393638
user16393638

Reputation: 73

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-repository"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::my-repository/data/*"
        }
    ]
}

Upvotes: 0

jellycsc
jellycsc

Reputation: 12259

You need the following IAM permission to do aws s3 ls:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

Upvotes: 4

Related Questions