skip to Main Content

I’m getting access error while tagging a bucket. Please note that the role I’m using has s3 full access.
The code works fine till this point-

for bucket in s3.buckets.all():
            s3_bucket = bucket
            s3_bucket_name = s3_bucket.name
            try:
                response = s3_client.get_bucket_tagging(Bucket=s3_bucket_name)
                print(response)
            except ClientError:
                print (s3_bucket_name, "does not have tags")
                

but after adding putTag code, it gives error even for GetBucketTagging operation.
This is my final code:

for bucket in s3.buckets.all():
            s3_bucket = bucket
            s3_bucket_name = s3_bucket.name
            try:
                response = s3_client.get_bucket_tagging(Bucket=s3_bucket_name)
                print(response)
                
            except ClientError:
                print (s3_bucket_name, "does not have tags")
                bucket_tagging = s3.BucketTagging(s3_bucket_name)
                response = bucket_tagging.put(
                 Tagging={
                      'TagSet': [
                        {
                            'Key': 'pcs:name',
                            'Value': s3_bucket_name
                        },
                      ]
                    },
                )

The error I’m getting is-

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetBucketTagging operation: Access Denied

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "tagging.py", line 91, in <module>
    tagging()
  File "tagging.py", line 71, in tagging
    'Value': s3_bucket_name
  File "/home/ec2-user/compass_backend/compass_backend/lib64/python3.7/site-packages/boto3/resources/factory.py", line 520, in do_action
    response = action(self, *args, **kwargs)
  File "/home/ec2-user/compass_backend/compass_backend/lib64/python3.7/site-packages/boto3/resources/action.py", line 83, in __call__
    response = getattr(parent.meta.client, operation_name)(*args, **params)
  File "/home/ec2-user/compass_backend/compass_backend/lib64/python3.7/site-packages/botocore/client.py", line 395, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/ec2-user/compass_backend/compass_backend/lib64/python3.7/site-packages/botocore/client.py", line 725, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutBucketTagging operation: Access Denied

am I passing the tag parameters wrong? Got this from Boto3 documentation itself

3

Answers


  1. Chosen as BEST ANSWER

    I couldn't find a way to catch the exception, however, this worked for me:

    tagging_client = boto3.client('resourcegroupstaggingapi')
    s3 = boto3.resource('s3')
    s3_client = boto3.client('s3')
    for bucket in s3.buckets.all():
         s3_bucket = bucket
         s3_bucket_name = s3_bucket.name
         bucket_tagging = s3.BucketTagging(s3_bucket_name)
         try:
            response = s3_client.get_bucket_tagging(Bucket=s3_bucket_name)
            a = response
         except ClientError:
            response = tagging_client.tag_resources(
            ResourceARNList=[
                "arn:aws:s3:::" + bucket.name
            ],
            Tags={
                'pcs:name': bucket.name
            }
          )
    

    pls note that you'll need the additional "resource tagging" policy attached to your role. Hope this helps. Cheers.


  2. I took out the try sections and ran this version of your code:

    import boto3
    
    s3_resource = boto3.resource('s3')
    
    bucket_tagging = s3_resource.BucketTagging('my-bucket-name')
    response = bucket_tagging.put(
            Tagging={
                'TagSet': [
                {
                    'Key': 'pcs:name',
                    'Value': 'stackoverflow'
                },
                ]
            },
        )
    

    It worked fine:

    [Amazon S3 bucket tags

    Therefore, there must be something else that is causing your request to fail. You might want to check AWS CloudTrail to see if there is a hint as to why the request was denied.

    Login or Signup to reply.
  3. "get_bucket_tagging" throws NoSuchTagSet when there are no tags. for testing create a tag first before run test or Catch the exception and create tags.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search