AWS S3 Access Denied on delete
Solution 1
It's quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes).
You can check if you really have access to the specific bucket actions, use the iam get-role-policy API to view the permissions you have for the role that you are using to try to delete. Here is an example:
$ aws iam get-role-policy --role-name <<your-role-name>> --policy-name <<your-policy-name>>
{
"RoleName": "myrolename,
"PolicyDocument": {
"Version": "yyyy-mm-dd",
"Statement": [
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:Get*",
"s3:List*",
"s3:ListBucket",
"s3:PutObject*"
],
"Resource": [
"arn:aws:s3:::bucket1/*",
"arn:aws:s3:::bucket2/*" ],
"Effect": "Allow",
"Sid": "yyyy"
}
]
},
"PolicyName": "mypolicyname"
}
Most likely in your case, you may not have the "s3:DeleteObject" action for that resource (bucket/prefix)
Solution 2
User may be able to create an object in a bucket doesn't necessarily imply that the same user can deleted the object that he/she may have created.
S3 permission can be granular at the resource level (bucket/prefix) where the action that your role can take could be one or many of the permissions (see: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html)
It looks like you are having s3:PutObject permission but not s3:DeleteObject.
Related videos on Youtube
Joshua Foxworth
I am a full stack developer that focuses on the front end with React, typescript, and Angular. I do some node.js, Laravel, and firebase on the back end. I have worked at startups and done freelance building of complex apps from the ground up. I keep up with industry standards and use hooks, sagas, next.js, rambda, and others.
Updated on September 15, 2022Comments
-
Joshua Foxworth over 1 year
I have a bucket that I can write to with no problem. However, when I try to delete an object, I get an error ...
AccessDeniedException in NamespaceExceptionFactory.php line 91
Following the very basic example here, I came up with this command ...
$result = $s3->deleteObject(array( 'Bucket' => $bucket, 'Key' => $keyname ));
I have tried variations of this based upon other tutorials and questions I have found.
$result = $s3->deleteObject(array( 'Bucket' => $bucket, 'Key' => $keyname, 'Content-Type' => $contentType, 'Content-Length' => 0 ));
But everything produces the same error. Any suggestions?
-
Joshua Foxworth about 7 yearsHow can a user have read/ write permissions and not delete? The description on mouse over for this permissions says it includes delete.
-
Ravi Ramanujam about 7 yearsIts quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes).
-
lexa-b about 6 yearsfor serverless project you may add "s3:DeleteObject" into "provider: iamRoleStatements: Action" parameter in serverless.yml file
-
RicardoDuarte about 5 yearscompletely forgot i didnt' added this on my config. thanks
-
Kit Peters about 4 yearsThis fixed a problem I was having. Thanks!