AccessDenied for ListObjects for S3 bucket when permissions are s3

Question

I am getting       An error occurred  AccessDenied  when calling the ListObjects operation  Access Denied    When I try to get folder from my S3 bucket   Using this command    aws s3 cp s3   bucket-name data all-data    --recursive   The IAM permissions for the bucket look like this      Version    version id    Statement                    Sid    some id            Effect    Allow            Action                  s3                        Resource                  arn aws s3   bucketname                          What do I need to change to be able to copy and ls successfully

User · Answer

I faced with the same issue  I just added credentials config    aws access key id   your aws access key id aws secret access key   your aws secret access key   into     aws credentials    restart terminal for default profile   In the case of multi profiles --profile arg needs to be added   aws s3 sync   localDir s3   bucketName --profile   PROFILE NAME    where PROFILE NAME    bash profile   or  bashrc  - gt  export PROFILE NAME  yourProfileName    More info about how to config credentials and multi profiles can be found here

User · Answer

I had this issue  my requirement  i wanted to allow user to write to specific path                  Sid    raspiiotallowspecificBucket                Effect    Allow                Action                      s3 GetObject                    s3 PutObject                    s3 ListBucket                              Resource                      arn aws s3    lt bucketname gt  scripts                    arn aws s3    lt bucketname gt  scripts                               and problem was solved with this change                  Sid    raspiiotallowspecificBucket                Effect    Allow                Action                      s3 GetObject                    s3 PutObject                    s3 ListBucket                              Resource                      arn aws s3    lt bucketname gt                     arn aws s3    lt bucketname gt

User · Answer

I like this better than any of the previous answers   It shows how to use the YAML format and lets you use a variable to specify the bucket      - PolicyName   quot AllowIncomingBucket quot        PolicyDocument          Version   quot 2012-10-17 quot          Statement            - Effect   quot Allow quot              Action   quot s3   quot              Resource                -  Ref S3BucketArn               -  Join   quot   quot     Ref S3BucketArn

User · Answer

I was unable to access to S3 because    first I configured key access on the instance  it was impossible to attach role after the launch then  forgot about it for a few months attached role to instance  tried to access   The configured key had higher priority than role  and access was denied because the user wasn t granted with necessary S3 permissions    Solution  rm -rf  aws credentials  then aws uses role

User · Answer

I was thinking the error is due to  s3 ListObjects  action but I had to add the action   s3 ListBucket  to solve the issue  AccessDenied for ListObjects for S3 bucket

User · Answer

To allow permissions in s3 bucket go to the permissions tab in s3 bucket and in bucket policy change the action to this which will allow all actions to be performed   quot Action quot   quot   quot

User · Answer

I m adding an answer with the same direction as the accepted answer but with small  important  differences and adding more details   Consider the configuration below        Version    2012-10-17      Statement                  Effect    Allow          Action     s3 ListBucket           Resource     arn aws s3    lt Bucket-Name gt                        Effect    Allow          Action              s3 PutObject            s3 DeleteObject                  Resource     arn aws s3    lt Bucket-Name gt                    The policy grants programmatic write-delete access and is separated into two parts    The ListBucket action provides permissions on the bucket level and the other PutObject DeleteObject actions require permissions on the objects inside the bucket    The first Resource element specifies arn aws s3    lt Bucket-Name gt  for the ListBucket action so that applications can list all objects in the bucket   The second Resource element specifies arn aws s3    lt Bucket-Name gt    for the PutObject  and DeletObject actions so that applications can write or delete any objects in the bucket   The separation into two different  arns  is important from security reasons in order to specify bucket-level and object-level fine grained permissions    Notice that if I would have specified just GetObject in the 2nd block what would happen is that in cases of programmatic access I would receive an error like   Upload failed   lt file-name gt  to  lt bucket-name gt   lt path-in-bucket gt  An error occurred  AccessDenied  when calling the PutObject operation  Access Denied

User · Answer

I tried the following   aws s3 ls s3 console aws amazon com s3 buckets  bucket name    This gave me the error   An error occurred  AccessDenied  when calling the ListObjectsV2 operation  Access Denied   Using this form worked   aws s3 ls  bucket name

User · Answer

You have given permission to perform commands on objects inside the S3 bucket  but you have not given permission to perform any actions on the bucket itself   Slightly modifying your policy would look like this        Version    version id      Statement                    Sid    some id            Effect    Allow            Action                  s3                        Resource                  arn aws s3   bucketname                arn aws s3   bucketname                             However  that probably gives more permission than is needed  Following the AWS IAM best practice of Granting Least Privilege would look something like this        Version    2012-10-17      Statement                        Effect    Allow              Action                    s3 ListBucket                          Resource                    arn aws s3   bucketname                                          Effect    Allow              Action                    s3 GetObject                          Resource                    arn aws s3   bucketname

User · Answer

If you wanted to copy all s3 bucket objects using the command  aws s3 cp s3   bucket-name data all-data    --recursive  as you mentioned  here is a safe and minimal policy to do that        Version    2012-10-17      Statement                        Effect    Allow              Action                    s3 ListBucket                          Resource                    arn aws s3   bucket-name                          Condition                    StringLike                        s3 prefix    data all-data                                                            Effect    Allow              Action                    s3 GetObject                          Resource                    arn aws s3   bucket-name data all-data                                The first statement in this policy allows for listing objects inside a specific bucket s sub directory   The resource needs to be the arn of the S3 bucket  and to limit listing to only a sub-directory in that bucket you can edit the  s3 prefix  value   The second statement in this policy allows for getting objects inside of the bucket at a specific sub-directory   This means that anything inside the  s3   bucket-name data all-data   path you will be able to copy   Be aware that this doesn t allow you to copy from parent paths such as  s3   bucket-name data     This solution is specific to limiting use for AWS CLI commands  if you need to limit S3 access through the AWS console or API  then more policies will be needed   I suggest taking a look here  https   aws amazon com blogs security writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket    A similar issue to this can be found here which led me to the solution I am giving  https   github com aws aws-cli issues 2408  Hope this helps

User · Answer

I got the same error when using policy as below  although i have  s3 ListBucket  for s3 ListObjects operation      Version    2012-10-17    Statement                    Action                  s3 ListBucket                s3 GetObject                s3 GetObjectAcl                      Resource                  arn aws s3    lt bucketname gt                   arn aws s3    -bucket                        Effect    Allow                 Then i fixed it by adding one line   arn aws s3   bucketname           Version    2012-10-17    Statement                    Action                  s3 ListBucket                s3 GetObject                s3 GetObjectAcl                      Resource                   arn aws s3    lt bucketname gt                 arn aws s3    lt bucketname gt                   arn aws s3    -bucket                        Effect    Allow

User · Answer

You have to specify Resource for the bucket via  quot arn aws s3   bucketname quot  or  quot arn aws 3   bucketname  quot   The latter is preferred since it allows manipulations on the bucket s objects too  Notice there is no slash  Listing objects is an operation on Bucket  Therefore  action  quot s3 ListBucket quot  is required  Adding an object to the Bucket is an operation on Object  Therefore  action  quot s3 PutObject quot  is needed  Certainly  you may want to add other actions as you require     quot Version quot    quot version id quot    quot Statement quot                    quot Sid quot    quot some id quot            quot Effect quot    quot Allow quot            quot Action quot                  quot s3 ListBucket quot                quot s3 PutObject quot                      quot Resource quot                  quot arn aws s3   bucketname  quot

User · Answer

Ran into a similar issues  for me the problem was that I had different AWS keys set in my bash profile    I answered a similar question here  https   stackoverflow com a 57317494 11871462  If you have conflicting AWS keys in your bash profile  AWS CLI defaults to these instead

[amazon-web-services] AccessDenied for ListObjects for S3 bucket when permissions are s3:*

Examples related to amazon-web-services

Examples related to amazon-s3