I am trying to simply copy some files from another S3 account to mine, but I am constantly facing the following error -
An error occurred (AccessDenied) when calling the UploadPartCopy operation: Cannot access through this access point
I have added policies on the IAM user and the bucket for the required copy-paste operation-
IAM Policy (Destination User)-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:us-west-2:620889225884:accesspoint/bulian-ai-mdl-parquet-1-access-point/*",
"arn:aws:s3:us-west-2:620889225884:accesspoint/bulian-ai-mdl-parquet-1-access-point",
"arn:aws:s3:::bulian-ai-mdl-parque-eziseoueyefwzsncu4iwr13fgpocyusw2b-s3alias/*",
"arn:aws:s3:::bulian-ai-mdl-parque-eziseoueyefwzsncu4iwr13fgpocyusw2b-s3alias",
"arn:aws:s3:::mobilelocationfeed.parquet.usw2.onemata.com/*",
"arn:aws:s3:::mobilelocationfeed.parquet.usw2.onemata.com"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::bulianai/",
"arn:aws:s3:::bulianai/*"
]
}
]
}
Bucket Policy (Destination) -
{
"Version": "2012-10-17",
"Id": "Policy1611277539797",
"Statement": [
{
"Sid": "Stmt1611277535086",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::864295014592:user/bulian_demo"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bulianai/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "Stmt1611277877767",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::864295014592:user/bulian_demo"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bulianai"
}
]
}
I am able to list the source files on the CLI therefore this account does have access to the source bucket, I am not quite sure what exactly the issue is over here.
Edit -
Source Bucket
s3://bulian-ai-mdl-parque-eziseoueyefwzsncu4iwr13fgpocyusw2b-s3alias/location_country=IN/output_year=2022/output_month=10/output_day=01/
Destination Bucket
s3://bulianai/OneMata/
Strange I have never seen such a usage of wildcards docs - https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html
"s3:Get*",
"s3:List*",
"s3:Put*"
Your iam policy is missing permissions for source or destination bucket ( unclear what is source or destination)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::source-DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::source-DOC-EXAMPLE-BUCKET/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET/*"
]
}
]
}
Follow this https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/
Related
Hi I follow the instruction of this answerd and got the same error.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1614469992506",
"Principal": "*",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<S3_Name>/*"
}
]
}
I got the error:
Action does not apply to any resource(s) in statement
I check the documentation and I can't found any solution.
ListBucket should be on the bucket resource itself, where as the other Object Actions should be on the objects within the bucket. so, we need /* for all the objects of the bucket.
IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<S3_Name>/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<S3_Name>"
}
]
}
Bucket Policy:
Same as IAM Policy, except it has Principal attached.
"Principal":"*" or "Principal":{"AWS":"*"} will give public access and
"Principal":{"AWS":"arn:aws:iam::AccountNumber-WithoutHyphens:root"} will give access to entire Aws Account.
Some details here and here
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<S3_Name>/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<S3_Name>"
}
]
}
you can try this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<S3_Name>",
"arn:aws:s3:::<S3_Name>/*"
]
}
]
}
I would like to create an AWS policy to limit the s3:PutObject access on a path in a bucket.
Easy would you say, but:
I need to set the path with a regex MyBucket/*/Folder1/Folder1-1/Object
It's a cross-account access
I try to do this but it's not working.
On Source Account User policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::MyBucket",
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:GetObjectVersion",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::MyBucket/*",
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::MyBucket/*",
],
"Condition": {
"StringLike": {
"s3:prefix": "/*/Folder1/Folder1-1/*"
}
}
}
]
}
On Destination Account bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MyAccountID:user/MyUser"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::MyBucket",
"Condition": {
"StringLike": {
"s3:prefix": "*/Folder1/Folder1-1/*"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MyAccountID:user/MyUser"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MyBucket/*/Folder1/Folder1-1/*"
}
]
}
To clarify my Bucket structure :
|MyBucket
|-Client1
|-|-Folder1
|-|-|-Folder1-1
|-|-|-|-Object
|-Client1
|-|-Folder1
|-|-|-Folder1-1
|-|-|-|-Object
|-ClientXX
|-|-Folder1
|-|-|-Folder1-1
|-|-|-|-Object
I would like my user get PutObject access only not the path Client*/Folder1/Folder1-1/ could you please help me?
Wildcards are not supported in the middle of a string. However, you could use an IAM policy variable:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/Folder1/Folder1-1/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${aws:username}/Folder1/Folder1-1/*"]
}
]
}
The ${aws:username} variable will insert the username of the user. This way, the wildcard is at the end of the string, which is valid.
This is a common way to allow multiple IAM Users to access the same bucket, but each only receives access to their folder within the bucket. This policy could be created on an IAM Group, and the IAM Group could then be assigned to each IAM User without the need to modify it for their particular folder.
I am trying to restrict user access at the object level in S3.
There are 2 folders in the s3 bucket. I am trying to give access to only one folder among the object.
The two folders are:
broker
carrier
This is the IAM Role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::lodeobucket"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}
But the user is able to access the carrier folder as well.
Could anyone suggest what am I missing?
If you add the following conditon:
"Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
you user will not be able to enter carrier folder. It will still be visible in console. I don't think you can "hide" other folders, as this will break console access.
You can try the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::lodeobucket",
"Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}
It has been 2 hours trying to figure it out. I have an IAM User s3readonly with following attached policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::MyBucket"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::MyBucket/*"
}
]
}
and S3 Bucket Policy for MyBucket (changed names):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Read Only for s3readonly user",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MyAccountId:user/s3readonly"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::MyBucket"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MyAccountId:user/s3readonly"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::MyBucket/*"
}
]
}
However, even after so many changes I have arrived at above after, when I login as s3readonly, I get "Access Denied" in the S3 Dashboard
Can anyone help?
I'm learning about AWS CLI, and I try to copy from a local folder to a bucket in S3. When I type the command the output returns this error:
upload failed: ./lalala.txt to s3://buecket_name/ An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
So I'm searching about this and the Internet tells me that the problem is in the bucket policy editor, so I try to edit the policy, but when I click in save the error is:
Bucket Policy Editor:Policy could not be parsed as a valid JSON string
My policy script:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets"
"Resource": "arn:aws:s3:::bucket-name*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
So I try to change the script adding the "principal", as someone recommends but the errors continue:
Policy could not be parsed as a valid JSON string
The current script:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:Sao Paulo:X1X8XX6YYY16X:name-bucket*"
},
"Principal": {
"AWS": [
"arn:aws:iam::AWS-account-ID:root"
]
}
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
What am I doing wrong?
You are missing a comma after the first Action part:
"Action": "s3:ListAllMyBuckets",
Validating JSONs can be done through services like jslint.
Policy for read/write to a specific bucket is as below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Actions",
"Resource": [
"arn:aws:s3:::bucket-name/*",
"arn:aws:s3:::bucket-name"
],
"Action": [
"s3:DeleteObject",
"s3:PutBucketAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get*",
"s3:List*"
],
"Effect": "Allow"
}
]
}
Also you can use Policy Simulator where you can select the policy and try out to make sure that the appropriate actions are selected to perform your API call without any issues.