iam user not able to write to s3 - amazon-web-services

i have this policy, why is it not able to write to s3 bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": [
"arn:aws:s3:::cf-templates-erb4urdcaiht-us-east-1",
"arn:aws:s3:::elasticbeanstalk-us-east-1-008151213029",
"arn:aws:s3:::test-bucket-for-iam"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject*",
"s3:GetObject*",
"s3:GetObjectAcl",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::cf-templates-erb4urdcaiht-us-east-1",
"arn:aws:s3:::elasticbeanstalk-us-east-1-008151213029",
"arn:aws:s3:::test-bucket-for-iam"
]
}
]
}
when i try to upload object i get, i have given putobject why iam i getting this error
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied


Changing
"arn:aws:s3:::cf-templates-erb4urdcaiht-us-east-1"
to this
"arn:aws:s3:::cf-templates-erb4urdcaiht-us-east-1/*"
worked in my case.

Related

AWS cli not behaving as expected , w.r.t UI

I have one S3 bucket with no resource policy. I create policy explicitly that restrict IAM user access to this bucket by creating below policy and attaching it to IAM user.
If I login using that user in console , I see that list of bucket and can do action that are defined in policy. but when I try doing aws s3 ls is give me below error
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
Policy
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowAppsS3ListAccess"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
],
"Sid": "AllowAppsS3Access"
}
],
"Version": "2012-10-17"
}

AWS S3 GetObject error on cross account access

I am the owner of AWS AccountC and need List and Get Permissions to BucketName owned by another person/team.
The bucket policy created is attached below. Policy for AccountA and AccountB were already existing and I added the policy for AccountC as given below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessA",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA:root",
"arn:aws:iam::AccountA:user/ABC-Prod"
]
},
"Action": [
"s3:GetObject",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::BucketName/*",
"arn:aws:s3:::BucketName"
]
},
{
"Sid": "AccessB",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountB:user/service-user",
"arn:aws:iam::AccountB:role/BatchUserRole"
]
},
"Action": "*",
"Resource": [
"arn:aws:s3:::BucketName/*",
"arn:aws:s3:::BucketName"
]
},
{
"Sid": "AccessC",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountC:root"
},
"Action": "s3:List*",
"Resource": "arn:aws:s3:::BucketName"
},
{
"Sid": "AccessD",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountC:root"
},
"Action": "s3:Get*",
"Resource": "arn:aws:s3:::BucketName/*"
}
]
}
I am able to list contents of BucketName using
aws s3 ls BucketName.
However, when I try
aws s3 cp --recursive BucketName/folderName/ ., it gives me an Access Denied error
An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
Block public access is enabled on the bucket, however I believe it should not affect since the Bucket policy is added
Tried multiple way to write the policy but the error persists. Can someone please help me understand what I might be missing here? Would be really grateful

An error occurred (AccessDenied) when calling the PutObject operation: Access Denied?

I am following this tutorial to enable my django application to upload the file directly to S3.
https://simpleisbetterthancomplex.com/tutorial/2017/08/01/how-to-setup-amazon-s3-in-a-django-project.html
When created a new IAM user, I enabled the full access to my S3. AmazonS3FullAccess
But when i uploaded the file I still got the error of
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
I tried to add a policy to my S3 bucket then.
But i constantly got the error of Policy has invalid action
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*",
"Principal": { "AWS": "[my-IAM user]" }
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::[s3-bucket-name]",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:username}/*"
]
}
},
"Principal": { "AWS": "[my-IAM user]" }
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::[bucket-name]/home/${aws:username}",
"arn:aws:s3:::[bucket-name]/home/${aws:username}/*"
],
"Principal": { "AWS": "[my-IAM user]" }
}
]
}
What exactly should i do then?

Permissions help setting up user access to S3

Still new to AWS. I'm trying to grant a user access to only S3 buckets that have a particular naming convention. I've got a basic policy like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowActionsForProjectbucket",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
"arn:aws:s3:::bucket-*/*",
"arn:aws:s3:::bucket-*"
]
},
}
However I'm getting Access Denied errors when running.
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
I'm confused I guess by the error message, as I assumed that the s3:* Action covered the ListBuckets, but perhaps it's something else.

Add below policy to your AWS IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET",
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
https://www.serverkaka.com/2018/05/grant-access-to-only-one-s3-bucket-to-aws-user.html

A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied

The configure I used has AdministrationAccess
the bucket has following policy configured:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "myPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::bucket-name/*",
"arn:aws:s3:::bucket-name"
]
}
]
}
In grantee:
Everyone with all four operations
I can not imagine a bucket more open than that, why do I still get the error
A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied

Use this policy it will work for full access to the bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME/*"
}
]
}

According to AWS S3 documentation examples the specified tresource URI should be a string, not an array. As long as it's not a wildcard.
"Resource": [
"*"
]
or
"Resource": "arn:aws:s3:::bucket-name/*"
Dont forget the trailing wildcard when you specify your URI.