I have created an s3 bucket with no policy and have uploaded a file with kms encryption . I have granted my ec2 instances full s3 access but still I'am not able to download the encrypted file(using aws CLI). it shows the following error: " An error occurred (AccessDenied) when calling the GetObject operation: Access Denied" but
I can download non-encrypted files from the same bucket with the same instance without any problem. Where am I gng wrong?
You also need to grant the instance access to the KMS key that was used to encrypt the file.
Related
I have an AWS account with data on S3. This is an MFA account and I am able to access the folders via the web. I am trying to connect to S3 from CLI. I have installed AWS CI on my mac. I have saved the access key, secret key, access token and region in a profile named mfa_0729.
When I am running the following in my terminal
aws s3 ls --profile mfa_0729 I get the error
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
When I run the same code using the bucket aws s3 ls s3://my-bucket/ , I get the error
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
Can someone point out what I am doing wrong here?
My account has two S3 buckets, both them have the same permission settings. The same account has one EB and an EC2 instance generated by the EB. There are several policies attached to this ec2 instance role, one policy is AmazonS3FullAccess.
I test accessing S3 buckets from that EC2 instance using command aws s3 ls s3://bucket-name.
But received different results.
One bucket give the list of objects, but one bucket gives error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
Can you please give any comments on that?
I found an issue with a S3 bucket.
The bucket don't have any ACL associated, and the user that create the bucket was deleted.
How it's possible add some ACL in the bucket to get the control back?
For any command using AWS CLI, the result are the same always: An error occurred (AccessDenied) when calling the operation: Access Denied
Also in AWS console the access is denied.
First things first , AccessDenied error in AWS indicates that your AWS user does not have access to S3 service , Get S3 permission to your IAM user account , if in case you had access to AWS S3 service.
The thing is since you are using cli make sure AWS client KEY and secret are still correctly in local.
Now the interesting use case :
You have access to S3 service but cannot access the bucket since the bucket had some policies set
In this case if user who set the policies left and no user was able to access this bucket, the best way is to ask AWS root account holder to change the bucket permissions
An IAM user with the managed policy named AdministratorAccess should be able to access all S3 buckets within the same AWS account. Unless you have applied some unusual S3 bucket policy or ACL, in which case you might need to log in as the account's root user and modify that bucket policy or ACL.
See Why am I getting an "Access Denied" error from the S3 when I try to modify a bucket policy?
I just posted this on a related thread...
https://stackoverflow.com/a/73977525/999943
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-full-control-acl/
Basically when putting objects from the non-bucket owner, you need to set the acl at the same time.
--acl bucket-owner-full-control
I created a new user that I only want to have access to a limited number of resources, mainly to read from S3.
For some reason, it will only read from the s3 bucket if I provide the AdministratorAccess policy to the IAM user. Here is the command
aws s3 cp s3://my-bucket/my-config.json my-config.json
Error with AmazonS3ReadOnlyAccess:
download failed: s3://my-bucket/my-config.json to ./my-config.json An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
But when I add AdministratorAccess it copies the file down just fine.
AmazonS3ReadOnlyAccess has access to the GetObject action on ALL resources as well. Does anyone know why I'd be seeing this behavior?
The issue here had to do with the encryption key used to encrypt objects in the bucket. I am using KMS encryption (at rest) for objects in this S3 bucket. The new user I had created, had not been added to Key Users for this specific KMS key. This was preventing the user from using this key to decrypt the object during the GetObject action in S3. So that action specifically, failed which gave the (not-so-clear) error message.
To fix: add the IAM user as a key user under KMS and all works now. Phew..
I want to sync data between two s3 buckets.
The problem is that each one is owned by different AWS accounts (i.e. access key id and secret access key).
I tried to make the destination bucket publicly writable, but I still get
fatal error: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
How to solve this?
I solved by giving permissions to write the destination bucket to the source bucket's AWS account.
I went to bucket "Permissions" tab of the destination bucket, "Access for other AWS accounts" and I gave permissions to the source bucket's AWS account by using the account email.
Then I copied the files by using AWS CLI (don't forget to grant full access to the recipient account!):
aws s3 cp s3://<source_bucket>/<folder_path>/ s3://<destination_bucket> --recursive --profile <source_AWSaccount_profile> --grants full=emailaddress=<destination_account_emailaddress>