Access denied copying files using S3 CLI

amazon-web-services amazon-s3 aws-cli
16,033

The format for specifying an s3 location is s3://bucket/key so instead of s3://s3.amazonaws.com/my-bucket you would use s3://my-bucket/.

Share:
16,033

Related videos on Youtube

KevinD
Author by

KevinD

Updated on September 18, 2022

Comments

  • KevinD
    KevinD over 1 year

    Attempting to pull down the contents of an S3 bucket using the AWS CLI, I'm getting the following:

    aws s3 cp --region us-east-1 s3://s3.amazonaws.com/my-bucket . --recursive
A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied
Completed 1 part(s) with ... file(s) remaining

    Using aws s3 sync similarly fails.

    The user policy is:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::*"]
    }
  ]
}

    (I've tried various less restrictive policies too, but to no avail).

    I've tried an empty bucket policy, and also this bucket policy:

    {
    "Id": "Policy1357935677554",
    "Statement": [
        {
            "Sid": "Stmt1357935647218",
            "Action": [
                "*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-bucket",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::XXXXXXXXXX:user/my-user"
                ]
            }
        },
        {
            "Sid": "Stmt1357935676138",
            "Action": [
                "*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::XXXXXXXXXX:user/my-user"
                ]
            }
        }
    ]
}

    Interestingly, this does work: 

    aws s3api list-objects --region us-east-1 --bucket my-bucket
  • KevinD
    KevinD about 9 years
    Thanks, that worked! "Access denied" isn't the most obvious error for a malformed URL!
  • Chris
    Chris about 8 years
    @KevinD to be clear the URL is not malformed, "s3.amazonaws.com" is a valid bucket name per naming conventions.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

"The AWS Access Key Id you provided does not exist in our records." when trying to use AWS CLI
Unknown Options when Using aws s3 mv
Output AWS CLI "sync" results to a txt file
HTTPSConnectionPool(host='s3-us-west-1b.amazonaws.com', port=443): Max retries exceeded with url
AWS S3 CLI - Connection was closed before we received a valid response from endpoint
Does AWS CLI use SSL when uploading data into S3?
How to create a "folder-like" (i.e. PREFIX) object on S3 using the AWS CLI?
How can I 'aws s3 sync' two buckets, which are located in different accounts
Why can my IAM user create a bucket but not upload to it?
I'm trying to use "aws s3 sync" on my EC2 instance. Is the '--exclude' option broken?