I want to sync data between two s3 buckets.
The problem is that each one is owned by different AWS accounts (i.e. access key id and secret access key).
I tried to make the destination bucket publicly writable, but I still get
fatal error: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
How to solve this?
I solved by giving permissions to write the destination bucket to the source bucket's AWS account.
I went to bucket "Permissions" tab of the destination bucket, "Access for other AWS accounts" and I gave permissions to the source bucket's AWS account by using the account email.
Then I copied the files by using AWS CLI (don't forget to grant full access to the recipient account!):
aws s3 cp s3://<source_bucket>/<folder_path>/ s3://<destination_bucket> --recursive --profile <source_AWSaccount_profile> --grants full=emailaddress=<destination_account_emailaddress>
Related
I found an issue with a S3 bucket.
The bucket don't have any ACL associated, and the user that create the bucket was deleted.
How it's possible add some ACL in the bucket to get the control back?
For any command using AWS CLI, the result are the same always: An error occurred (AccessDenied) when calling the operation: Access Denied
Also in AWS console the access is denied.
First things first , AccessDenied error in AWS indicates that your AWS user does not have access to S3 service , Get S3 permission to your IAM user account , if in case you had access to AWS S3 service.
The thing is since you are using cli make sure AWS client KEY and secret are still correctly in local.
Now the interesting use case :
You have access to S3 service but cannot access the bucket since the bucket had some policies set
In this case if user who set the policies left and no user was able to access this bucket, the best way is to ask AWS root account holder to change the bucket permissions
An IAM user with the managed policy named AdministratorAccess should be able to access all S3 buckets within the same AWS account. Unless you have applied some unusual S3 bucket policy or ACL, in which case you might need to log in as the account's root user and modify that bucket policy or ACL.
See Why am I getting an "Access Denied" error from the S3 when I try to modify a bucket policy?
I just posted this on a related thread...
https://stackoverflow.com/a/73977525/999943
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-full-control-acl/
Basically when putting objects from the non-bucket owner, you need to set the acl at the same time.
--acl bucket-owner-full-control
I have a problem with removing S3 bucket with the following ERROR state (check this image).
I tried to remove it via aws cli but the result is of course:
aws s3 rb s3://hierarchy --force
fatal error: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
I can't change anything (bucket policy, etc.) on this bucket.
I have to mention that I'm administrator and have all privileges on the AWS account.
Google does not help me. I would like to know if is it possible to remove bucket like this.
It is possible that there is a Bucket Policy containing a Deny statement that is preventing your access.
Find somebody who has access to the Root credentials, which should be able to delete it.
If that fails, contact AWS Support.
I created a new user that I only want to have access to a limited number of resources, mainly to read from S3.
For some reason, it will only read from the s3 bucket if I provide the AdministratorAccess policy to the IAM user. Here is the command
aws s3 cp s3://my-bucket/my-config.json my-config.json
Error with AmazonS3ReadOnlyAccess:
download failed: s3://my-bucket/my-config.json to ./my-config.json An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
But when I add AdministratorAccess it copies the file down just fine.
AmazonS3ReadOnlyAccess has access to the GetObject action on ALL resources as well. Does anyone know why I'd be seeing this behavior?
The issue here had to do with the encryption key used to encrypt objects in the bucket. I am using KMS encryption (at rest) for objects in this S3 bucket. The new user I had created, had not been added to Key Users for this specific KMS key. This was preventing the user from using this key to decrypt the object during the GetObject action in S3. So that action specifically, failed which gave the (not-so-clear) error message.
To fix: add the IAM user as a key user under KMS and all works now. Phew..
I have created an s3 bucket with no policy and have uploaded a file with kms encryption . I have granted my ec2 instances full s3 access but still I'am not able to download the encrypted file(using aws CLI). it shows the following error: " An error occurred (AccessDenied) when calling the GetObject operation: Access Denied" but
I can download non-encrypted files from the same bucket with the same instance without any problem. Where am I gng wrong?
You also need to grant the instance access to the KMS key that was used to encrypt the file.
There's a specific bucket (not from my account) which I want to have access. The authors of the bucket have a github site here, and they made the data accessible. The problem comes when I try to aws s3 ls which I get the following error:
aws s3 \
--region eu-west-1 \
ls s3://ngi-igenomes/igenomes/Homo_sapiens/Ensembl/GRCh37/Annotation/Genes/
A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied
This is somewhat strange because the bucket has a Requester Pays policy meaning that access is limited to authenticated requests only, and I have a user with an access key, secret access key and my account/s3 buckets/etc ... is in same region (eu-west) than the bucket I'm trying to access.
So, I'm asking for help as I do not understand why I don't have access.
Thanks in advance for the help!
Your error says: A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied
This means that you have not been granted permission to list that bucket (or at least that path within the bucket).
Since the bucket is in a different AWS account, the only way these permissions can be granted to you is via an Amazon S3 bucket policy. Only the owner of the bucket can configure the bucket policy (or, more accurately, any user within that account who has the necessary permissions to edit the Bucket Policy).
(If it was in the same account, it would be possible to also use an IAM User policy to grant access.)
Alternatively, the bucket owners could create an IAM Role that has the necessary permissions and they could configure a Trust relationship to your normal IAM User. You would assume the role and then access the bucket. However, this would defeat the Requester Pays capabilities because they would be charged for such access.
This happens when weather bucket has requester pays policy and you don't include requester pays header explicitly in your request