When I am trying to configure my s3cmd using s3cmd --configure command I am entering the Access Key, Secret Key and Encryption Password and for the rest of the fields I just hit enter to keep it to the default as said in most of the blogs.
But after supplying the credentials, I am getting the error:
ERROR: Test failed: 403 (AccessDenied): Access Denied
How possilbly can I configure with the right soltution.
There are several different things that could be going wrong:
You have an incorrect set of AWS credentials. If that is the case, then you will also not be able to use the official aws client. Try using that to verify that your credentials are correct. Use
aws s3 ls
in order to perform the ListBuckets operation that s3cmd is using to validate your credentials
You have AWS IAM credentials that do not have the correct permissions associated with them. S3cmd performs a s3:ListAllMyBuckets operation to validate your credentials. If your user does not have this permission associated with him, then s3cmd will fail to validate your credentials. If you have an IAM user, try temporarily attaching to it Full S3 Access or Administrator access in the IAM console.
You have a typo in the command.
It should be
s3cmd --configure
Check your IAM user of which your are using credentials for s3cmd have correct access to a S3.
Related
I am following the instructions to get AWS SSO working: https://www.gitpod.io/guides/integrate-aws-cli-ecr
I'm not sure about what the AWS_ROLE_NAME gitpod variable should be. I feel like I'm getting this wrong, because signing in with:
aws sso login --no-browser
and then aws sts get-caller-identity
I get An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access
I've set it to an IAM role name which should have admin access.
resolved - AWS_ROLE_NAME needed to be set to AWSPowerUserAccess or other permission set name, which you can find in https://us-east-1.console.aws.amazon.com/iamv2/#/organization/permission-sets
also, don't forget to go to https://us-east-1.console.aws.amazon.com/iamv2/home#/organization/accounts click on an account and assign the SSO user to the account with an appropriate permission set.
Stupidly enough, I did delete by mistake my default AWS IAM user!
I used it for example do aws s3 sync...
Now the error I get is:
$ aws s3 sync build/ s3://mybucket.mydomain.com
fatal error: An error occurred (InvalidAccessKeyId) when calling the ListObjects operation: The AWS Access Key Id you provided does not exist in our records.
Is there a way to recover?
I think I need instructions how to create a new user with the sufficient roles to enable my local aws cli to be able to do aws s3 sync ...
UPDATE: I did just create a new user on my AWS console, and added a policy (to start with) to list my bucket. The problem is I don't know how to attach my aws cli to that new user... :-(
If you are the only person using this AWS Account, then add the AdministratorAccess Policy to your IAM User. That will grant complete access.
Then, in the Security credentials tab of the IAM User click Create access key. Copy the Access Key and Secret Access Key.
On the command line, run aws configure and provide those keys to configure the user.
Test with: aws s3 ls
I successfully authenticate with 2 factor but when using aws s3 ls I keep getting
An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid.
And I do have admin rights.
Issue was that I wasn't passing the --region in. e.g. aws s3 --region us-gov-west-1 ls. I suppose this could be set with an ENV variable too. That error message is a candidate for improvement.
This error also occurs when aws cli reads the aws_session_token and aws_security_token declared in the ~/.aws file, which might be associated to a previously used account. Removing both and leaving just the key and the credentials associated to the account where the bucket is will force aws to establish the connection.
Please delete .aws/credentials file from your users account and reconfigure your aws cli.
If you already associated with another account then there are high chances of this type of error.
Run aws configure
You may leave access key and access key id blank if you have an IAM role attached
Set value for 'region'
Now you will be able to successfully run 'aws s3 ls'
Else run 'aws s3 ls --region '
If you are using AWS Single Sign-on you can pass --profile <profile_name> and it should solve the issue
In the .aws credentials file remove session token and it will work
I'm trying to add MFA-deletion to my S3 bucket with the AWS-cli with the following command:
aws s3api put-bucket-versioning --bucket <my-bucket-name> --versioning-configuration '{"MFADelete":"Enabled","Status":"Enabled"}' --mfa 'arn:aws:iam::<code-found-at-iam-page>:mfa/root-account-mfa-device <my-google-authenticator-code>'
but the response I get is this:
An error occurred (InvalidRequest) when calling the
PutBucketVersioning operation: DevPay and Mfa are mutually exclusive
authorization methods.
which makes no sense as I have never used DevPay. My security group for the instance has S3FullAccess enabled so that shouldn't be a problem either.
Any suggestions on what the problem might be would be appreciated.
I submitted a case to AWS and they answer with this:
That error response typically gets returned when the API cannot
perform the MFA Delete task due to the request being made with
non-root credentials. The only way to turn on MFA Delete is to use the
credentials from the root user of the account
Simple solution!
I just got the same error when attempting to perform this using the AWS CloudShell, although I was using the root user (and confirmed I was root using the CloudShell). The same command worked when run from the local CLI.
To enable/disable MFA delete on s3 bucket you must configure your aws command line with root access key .
Check the Prerequisites part
https://aws.amazon.com/premiumsupport/knowledge-center/s3-undelete-configuration/
I have the AWS cli installed on an EC2 instance, and I configured it by running aws configure and giving it my AWSAccessKeyId and AWSSecretKey keys so if I run the command aws s3 ls it returns the name of my S3 bucket (call it "mybucket").
But, if I then try aws s3 cp localfolder/ s3://mybucket/ --recursive I get an error that looks like
A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Anonymous users cannot initiate multipart uploads. Please authenticate.
I thought that by running aws configure and giving it my root key that I was effectively giving the aws cli everything it needs to authenticate? Is there something I am missing regarding copying to an S3 bucket as opposed to listing them?
Thought I would add in a very similar issue that I had where I could list buckets but could not write to a given bucket returning the error
An error occurred (AccessDenied) when calling the
CreateMultipartUpload operation: Access Denied
If the bucket uses server-side encryption you'll need to add the --sse flag to be able to write to this bucket.
https://docs.aws.amazon.com/cli/latest/reference/s3/cp.html
Root Access keys and Secret key have full control and full privileges to interact with the AWS. Please try running the aws configure again to recheck the setting and try again.
PS: it is highly not recommended to use root access keys - please give a thought is creating an IAM ( which take admin privileges- like root ) and use those.
If you have environment variables AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID and AWS_REGION set, AWS CLI gives higher precedence to them, and not to credentials you specify with aws configure.
So, in my case, bash command unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY solved the problem.