Home / server / Questions / 556077
Accepted
Josh Gagnon
Asked: 2013-11-20 11:37:12 +0800 CST

What is causing Access Denied when using the aws cli to download from Amazon S3?

  • 772

I'm really flailing around in AWS trying to figure out what I'm missing here. I'd like to make it so that an IAM user can download files from an S3 bucket - without just making the files totally public - but I'm getting access denied. If anyone can spot what's off I'll be stoked.

What I've done so far:

  • Created a user called my-user (for sake of example)
  • Generated access keys for the user and put them in ~/.aws on an EC2 instance
  • Created a bucket policy that I'd hoped grants access for my-user
  • Ran the command aws s3 cp --profile my-user s3://my-bucket/thing.zip .

Bucket policy:

{
  "Id": "Policy1384791162970",
  "Statement": [
    {
      "Sid": "Stmt1384791151633",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:user/my-user"
      }
    }
  ]
}

The result is A client error (AccessDenied) occurred: Access Denied although I can download using the same command and the default (root account?) access keys.

I've tried adding a user policy as well. While I don't know why it would be necessary I thought it wouldn't hurt, so I attached this to my-user.

{
  "Statement": [
    {
      "Sid": "Stmt1384889624746",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Same results.

amazon-s3

8 Answers

  1. Best Answer

    I was struggling with this, too, but I found an answer over here https://stackoverflow.com/a/17162973/1750869 that helped resolve this issue for me. Reposting answer below.

    You don't have to open permissions to everyone. Use the below Bucket policies on source and destination for copying from a bucket in one account to another using an IAM user

    Bucket to Copy from – SourceBucket

    Bucket to Copy to – DestinationBucket

    Source AWS Account ID - XXXX–XXXX-XXXX

    Source IAM User - src–iam-user

    The below policy means – the IAM user - XXXX–XXXX-XXXX:src–iam-user has s3:ListBucket and s3:GetObject privileges on SourceBucket/* and s3:ListBucket and s3:PutObject privileges on DestinationBucket/*

    On the SourceBucket the policy should be like:

    {
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::SourceBucket",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
    },
    {
        "Sid": "Stmt1357935676138",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: SourceBucket/*",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
   }
]
}

    On the DestinationBucket the policy should be:

    {
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: DestinationBucket",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
    },
    {
        "Sid": "Stmt1357935676138",
        "Action": ["s3:PutObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: DestinationBucket/*",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
   }
]
}

    command to be run is s3cmd cp s3://SourceBucket/File1 s3://DestinationBucket/File1

    • 42

  2. When I faced the same issue it turned out that AWS required server-side encryption to be enabled. So the following command worked successfully for me:

    aws s3 cp test.txt s3://my-s3-bucket --sse AES256
    • 16

  3. Even if your IAM policies are set up correctly, you can still get an error like An error occurred (AccessDenied) when calling the <OPERATION-NAME> operation: Access Denied due to MFA (Multi-Factor Authentication) requirements on your credentials. These can catch you off guard because if you've already logged into the AWS console it will appear that your credentials are working fine, and the permission denied error message from aws cli is not particularly helpful.

    There are some good instructions already on how to set up MFA with aws cli:

    Basically, you need the need to get to address of your MFA device, and send that with the code from your device to get a temporary token.

    • 6

  4. I wouldn't recommend the 'Any authenticated AWS user' option mentioned by James.

    Doing so adds a bucket-level ACL that allows any AWS account (not just your IAM users) to list/delete/modify-acls for that bucket.

    i.e. public read/write for anyone with an aws account.

    • 5

  5. I managed to fix this without having to write polices - from the S3 console (web ui) I selected the bucket and in the permissions tab chose "Any Authenticated AWS User" and ticket all the boxes.

    UPDATE: as pointed out in comments "Any Authenticated AWS User" isn't just users in your account it's all AWS authenticated user, please use with caution

    • 3

  6. I just simply went on the webUI on and clicked on the bucket, then went to permissions and then went to policy. When I opened it up I just clicked delete. I did this for I think it was configuration as well.

    I went back to the main s3 page, then clicked on the bucket and attempted to delete it and it worked.

    even when I did it by aws-cli using 

    $ aws s3 rb s3://bucket-name --force

    Anyway, that is the thing that worked for me. The policy on permissions is stopping you from deleting the bucket.

    • 0

  7. Once I got this error by simply trying to run:

    aws s3 cp s3://[bucketName]/[fileName] .

    in a folder where I didn't have permissions. It's silly, but make sure you are the owner of the folder you are in before moving on!

    • 0

  8. The issue arises when u insert invalid resource or object names .I had the same issue with boto3 (in my case it was invalid bucket name)

    • 0