CODEWITHSUNDEEP
pythonamazon-web-servicesflaskamazon-s3aws-cli
Amir Adamov
Amir Adamov

Reputation: 53

AWS S3: Error: An error occurred (AccessDenied) when calling the CreateSession operation: Access Denied

I am new to Amazon web service management. I created a directory bucket and user in IAM so that I could connect to my bucket through the Flask app. This is my permissions policy for user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my_bucket",
                "arn:aws:s3:::my_bucket/*"
            ]
        }
    ]
}

When I want to create a policy for my bucket I get unknow error:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1706996941974",
            "Principal": "*",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::my_bucket/*"
            ]
        }
    ]
}

enter image description here

I think as a solution I can create new General-purpose buckets but I need Directory buckets since it is faster.

Upvotes: 1

Views: 1140

Answers (2)

clem
clem

Reputation: 424

This IAM policy worked for me:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3express:*"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET-NAME--eun1-az1--x-s3",
                "arn:aws:s3:::BUCKET-NAME--eun1-az1--x-s3/*",
                "arn:aws:s3express:eu-north-1:585907681370:bucket/BUCKET-NAME--eun1-az1--x-s3",
                "arn:aws:s3express:eu-north-1:585907681370:bucket/BUCKET-NAME--eun1-az1--x-s3/*"
            ]
        }
    ]
}

I was missing the s3express:* action. Thanks @caldazar for the answer.

I also wanted to limit access to a single directory bucket and I had to enter the resource names twice.

Upvotes: 0

Caldazar
Caldazar

Reputation: 3802

The directory bucket has a different policy than the general purpose bucket. It cannot use s3 actions. Instead, you should use s3express:*. You can see all available directory bucket actions in the IAM for S3 Express One Zone

Upvotes: 1

Related Questions