Let's say something like this is being returned.
An error occurred (AccessDenied) when calling the s3:ListObjects operation: Access Denied
Here are the most common reasons Access Denied is returned.
- The User or Service attempting to access the resource are in different AWS Accounts
- The User or Service attempting to access the resource are in different AWS Regions
- The User or Service attempting to access the resource are in different Virtual Private Clouds (VPCs)
- The resource does not have a Permission Policy that allows a User or Service access to the resource
- The User attempting to access the resource does not have an Identity-Based Permission Policy that allows the user access to the resource
- The Service attempting to access the resource does not have an Resource-Based Permission Policy that allows the service access to the resource
- The User attempting to access the resource Assumed a Role but the Role does not have a Trust Policy that allows the user to assume the role
- The User attempting to access the resource Assumed a Role but the Role does not have a Permission Policy that allows the user to access to the resource
- The Permission Policy associated wtih the resource does not allow certain Actions, such as s3:ListObjects
For example, let's say User john.doe is attempting to list objects in an S3 Bucket using the aws s3api list-objects command and Access Denied is being returned.
~]$ aws s3api list-objects --bucket my-bucket-abc123 --profile johndoe
An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
Assuming john.doe is in the same AWS Account and AWS Region as the Bucket, this is almost always due to an IAM (Identity and Access Management) Permission Policy not allowing the User (john.doe) the perform a certain action (s3:ListObjects) on the S3 Bucket. The aws iam list-attached-user-policies command can be used to see if the User has a Permission Policy that allows to User the perform the action on the resource (S3 Bucket). If not, the aws iam attach-user-policy command can be used to attach a Permission Policy such as arn:aws:iam::aws:policy/AmazonS3FullAccess to the User account.
~]$ aws iam list-attached-user-policies --user-name john.doe
{
"AttachedPolicies": [
{
"PolicyName": "AmazonS3FullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
]
}
Then the aws s3api get-bucket-policy command can be used to determine if the S3 Bucket has a Permission Policy. In this example, john.doe is allowed s3:ListObjects meaning john.doe is allowed to list objects in the Bucket.
]$ aws s3api get-bucket-policy --bucket my-bucket-abc123
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/john.doe"
},
"Action": "s3:ListObjects",
"Resource": "arn:aws:s3:::my-bucket-abc123"
}
]
}
In this example, the root user is allowed s3:* meaning root is allowed to perform any S3 Action on the Bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket-abc123/*"
}
]
}
In this example, the AWS CloudFront Distribution E3MELPD52EXGJ7 is allowed to GetObjects in the Bucket.
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket-abc123/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::123456789012:distribution/E3MELPD52EXGJ7"
}
}
}
]
}
If the S3 Bucket does NOT have a Permission Policy that allows the User or Service permission to do whatever it is that they are trying to do on the S3 Bucket, you can create a JSON file that contains the Permission Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket-abc123",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/johndoe"
]
}
}
]
}
And then use the aws s3api put-bucket-policy command to attach the policy to the S3 Bucket. Of course, this would have to be done as a User that has permisison to update the S3 Bucket Policy, typically the owner of the S3 Bucket, or the root user account.
aws s3api put-bucket-policy --bucket my-bucket-abc123 --policy file://policy.json
You can also use the aws s3api get-public-access-block command to check if my S3 Bucket has Public Access blocked.
~]$ aws s3api get-public-access-block --bucket my-bucket-abc123
{
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
}
}
The aws s3api delete-public-access-block command can be used to remove the public access block from the S3 Bucket.
aws s3api delete-public-access-block --bucket my-bucket-abc123
And confirm the Public Access Blocks are removed.
]$ aws s3api get-public-access-block --bucket my-bucket-abc123
{
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"IgnorePublicAcls": false,
"BlockPublicPolicy": false,
"RestrictPublicBuckets": false
}
}
The aws s3api get-bucket-acl command can be used to list an S3 Bucket Access Control List (ACL). In this example, user johndoe has been granted FULL_CONTROL.
~]$ aws s3api get-bucket-acl --bucket my-bucket-abc123
{
"Owner": {
"DisplayName": "johndoe",
"ID": "ab0e0a12345678903a77c82240d5cb3fc41ff11cc312345678977a5f8e743743"
},
"Grants": [
{
"Grantee": {
"DisplayName": "johndoe",
"ID": "ab0e0a12345678903a77c82240d5cb3fc41ff11cc312345678977a5f8e743743",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
You may want to try granting the user the WRITE ACP.
aws s3api put-object \
--bucket my-bucket-abc123 \
--key example.txt \
--body /tmp/example.txt \
--grant-write-acp id=abcdefg1e318d5103a77c82240d5cb3fc41ff11cc325c65b5c777abcdefg
Did you find this article helpful?
If so, consider buying me a coffee over at 