CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-iam
M Perpe
M Perpe

Reputation: 49

Getting "Insufficient permissions to list objects" error with S3 bucket policy

I setup a bucket policy to allow two external users arn:aws:iam::123456789012:user/user1 and arn:aws:iam::123456789012:user/user2 to access everything under a particular path in our S3 bucket - s3:my-bucket-name/path/. But the user is getting the following error when trying to access the path on AWS console:

Insufficient permissions to list objects
After you or your AWS administrator have updated your permissions to allow the s3:ListBucket action, refresh the page. Learn more about identity and access management in Amazon S3.

Here's the policy document. What am I missing here?

{
    "Version": "2012-10-17",
    "Id": "allowAccessToBucketPath",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:user/user1",
                    "arn:aws:iam::123456789012:user/user2"
                ]
            },
            "Action": [
                "s3:PutObject",
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket-name/path/*",
                "arn:aws:s3:::my-bucket-name/path"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:user/user1",
                    "arn:aws:iam::123456789012:user/user2"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-bucket-name",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "path/*"
                }
            }
        }
    ]
}

Upvotes: 4

Views: 9674

Answers (1)

Nate Norris
Nate Norris

Reputation: 996

I would check if you have any ACLs enabled for your bucket. In your bucket settings, check if Object Ownership is set to "ACLs enabled", in which case I would suggest you change it to "ACLs disabled".

If that doesn't work, I would suggest using the IAM Access Analyzer to help troubleshoot -- if the Access Analyzer says that your policy does in fact allow the access you want, then that would indicate that this policy is correctly defined, and you have other configurations on your bucket preventing the access.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html

Upvotes: 0

Related Questions