Access denied on AWS s3 bucket even with bucket and/or user policy

16,990

Solution 1

As strange as it sounds, it is possible to upload an object to Amazon S3 that the account owning the bucket cannot access.

When an object is uploaded to Amazon S3 (PutObject), it is possible to specify an Access Control List (ACL). Possible values are:

  • private
  • public-read
  • public-read-write
  • authenticated-read
  • aws-exec-read
  • bucket-owner-read
  • bucket-owner-full-control

You should normally upload objects with the bucket-owner-full-control ACL. This allows the owner of the bucket access to the object and permission to control the object (eg delete it).

If this permission is not supplied, then they cannot access nor modify the object.

I know that it contradicts the way you'd think buckets should work, but it's true!

How to fix it:

  • Re-upload the objects with bucket-owner-full-control ACL, or
  • The original uploader can loop through the objects and do an in-place CopyObject with a new ACL. This changes the permissions without having to re-upload.

Solution 2

You can solve it by using : http://docs.aws.amazon.com/cli/latest/reference/s3api/put-object-acl.html

put-object-acl : This has to be done by original uploader.

But is definitely faster than copying data again.

I had TB's of data to deal with.

aws s3api put-bucket-acl --bucket $foldername --key $i --grant-full-control uri=http://acs.amazonaws.com/groups/global/AllUsers
Share:
16,990

Related videos on Youtube

Scott Decker
Author by

Scott Decker

Updated on June 23, 2022

Comments

  • Scott Decker
    Scott Decker over 1 year

    I've tried pretty much every possible bucket policy. Also tried adding a policy to the user, but I get Access Denied every time I try to download an object from s3 bucket using the AWS Console.

    Bucket Policy:

    {
        "Version": "2012-10-17",
        "Id": "MyPolicy",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::12345678901011:user/my-username"
                },
                "Action": "s3:*",
                "Resource": [
                    "arn:aws:s3:::my-bucket",
                    "arn:aws:s3:::my-bucket/*"
                ]
            },
            {
                "Effect": "Allow",
                "Principal": "*",
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::my-bucket/*",
                "Condition": {
                    "IpAddress": {
                        "aws:SourceIp": [
                            "XX.XXX.XXX.XXX/24",
                            "XXX.XXX.XXX.XXX/24"
                        ]
                    }
                }
            }
        ]
    }
    

    That doesn't work so I tried adding a policy to my-username:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "StmtXXXXXXXXXX",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject"
                ],
                "Resource": [
                    "arn:aws:s3:::my-bucket",
                    "arn:aws:s3:::my-bucket/*"
                ]
            }
        ]
    }
    
    • John Rotenstein
      John Rotenstein about 6 years
      Can you list the objects via the console, but just not download them? How were the objects originally loaded into the bucket? Were they copied there via the CLI?
  • Scott Decker
    Scott Decker about 6 years
    Shouldn't there be a way for me to have a bucket or user policy that just says "regardless of how uploaded, this user has permissions to download anything from this bucket"?
  • John Rotenstein
    John Rotenstein about 6 years
    If the objects were uploaded without Bucket Owner permissions, it's not possible. I know -- it's strange!
  • Scott Decker
    Scott Decker about 6 years
    Thanks! I found these articles to be helpful: docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html and docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html. In the end I just did a restRequest.AddHeader("x-amz-acl", "bucket-owner-full-control") and that solved it.
  • Brit Gwaltney
    Brit Gwaltney over 4 years
    Is it possible to upload several ACL records here? For example, I want to make the object public-read ad well as bucket-owner-full-control.
  • John Rotenstein
    John Rotenstein over 4 years
    @BritGwaltney No, it seems you can only specify one ACL. For details of what they define, see: Canned ACL For details of ownership, see: Amazon S3 Bucket and Object Ownership