Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – S3 bucket policy

I am trying to use the AWS s3 commands to list and get objects from the terminal. I already configurated the credentials with the private key of the IAM user, and I added the policy in the bucket as well, but it does not matter what I do, I always get this error:

aws s3 ls s3://folder-staging/file01.txt --profile folder-staging

"An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
"

This is my policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGetObjects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::233420108572:user/manolo"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::folder-staging",
                "arn:aws:s3:::folder-staging/*"
            ]
        }
    ]
}

I also trying a more permissive variation but it does not work either:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGetObjects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::folder-staging",
                "arn:aws:s3:::folder-staging/*"
            ]
        }
    ]
}

I also swtiched "Block public access (bucket settings)" to Off

Tags:

2

Answers


  1. 0

    First and most important. Go and put back the "Block public access" flag, unless you want your bucket to be publicly accessible, which judging from your bucket policy i think is not your case. (https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)

    From what you describe i suppose you want to access your bucket from the user arn:aws:iam::233420108572:user/manolo.

    So there is a couple of things to check for throubleshooting:

    1. Your user should have an IAM identity policy that allows it to do s3:ListBucket and s3:GetObject on the desired bucket. The resource policy alone is not enough. That policy is used to restrict access, not to allow it. As a rule of thumb you will always need a policy on the user/role that is trying to perform an action that allows it to do so. (docs: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console)
    2. Check that you are trying to do the s3 ls with the correct credentials. To do so you can use the AWS CLI, just run:
    aws sts get-caller-identity

    and see if you are actually acting as the user arn:aws:iam::233420108572:user/manolo.

    Let me know if this helps you. I will also leave here a blogpost with some throubleshooting for your error: https://repost.aws/knowledge-center/s3-troubleshoot-403

    Login or Signup to reply.
  2. 0

    If you wish to grant access to a specific user, it is typically better to grant access via a policy on the IAM User rather than via a Bucket Policy. Bucket Policies are typically only used to grant ‘public’ or cross-account access.

    It would be similar to the policy you already wrote:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::folder-staging",
                "arn:aws:s3:::folder-staging/*"
            ]
        }
    ]
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search