AWS S3 Access Denied on delete

amazon-web-services amazon-s3 aws-php-sdk

13,279

Solution 1

It's quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes).

You can check if you really have access to the specific bucket actions, use the iam get-role-policy API to view the permissions you have for the role that you are using to try to delete. Here is an example:

$ aws iam get-role-policy --role-name <<your-role-name>> --policy-name <<your-policy-name>>

{
    "RoleName": "myrolename,
    "PolicyDocument": {
        "Version": "yyyy-mm-dd",
        "Statement": [
            {
                "Action": [
                    "s3:AbortMultipartUpload",
                    "s3:DeleteObject",
                    "s3:Get*",
                    "s3:List*",
                    "s3:ListBucket",
                    "s3:PutObject*"
                ],
                "Resource": [
                    "arn:aws:s3:::bucket1/*",
                    "arn:aws:s3:::bucket2/*"                ],
                "Effect": "Allow",
                "Sid": "yyyy"
            }
        ]
    },
    "PolicyName": "mypolicyname"
}

Most likely in your case, you may not have the "s3:DeleteObject" action for that resource (bucket/prefix)

Solution 2

User may be able to create an object in a bucket doesn't necessarily imply that the same user can deleted the object that he/she may have created.

S3 permission can be granular at the resource level (bucket/prefix) where the action that your role can take could be one or many of the permissions (see: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html)

It looks like you are having s3:PutObject permission but not s3:DeleteObject.

13,279

Joshua Foxworth

I am a full stack developer that focuses on the front end with React, typescript, and Angular. I do some node.js, Laravel, and firebase on the back end. I have worked at startups and done freelance building of complex apps from the ground up. I keep up with industry standards and use hooks, sagas, next.js, rambda, and others.

Updated on September 15, 2022

Comments

Joshua Foxworth over 1 year

I have a bucket that I can write to with no problem. However, when I try to delete an object, I get an error ...

AccessDeniedException in NamespaceExceptionFactory.php line 91

Following the very basic example here, I came up with this command ...

$result = $s3->deleteObject(array(
                'Bucket' => $bucket,
                'Key'    => $keyname
            ));

I have tried variations of this based upon other tutorials and questions I have found.

$result = $s3->deleteObject(array(
                'Bucket' => $bucket,
                'Key'    => $keyname,
                'Content-Type'  => $contentType,
                'Content-Length' => 0
            ));

But everything produces the same error. Any suggestions?

Joshua Foxworth about 7 years

How can a user have read/ write permissions and not delete? The description on mouse over for this permissions says it includes delete.
Ravi Ramanujam about 7 years

Its quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes).
lexa-b about 6 years

for serverless project you may add "s3:DeleteObject" into "provider: iamRoleStatements: Action" parameter in serverless.yml file
RicardoDuarte about 5 years

completely forgot i didnt' added this on my config. thanks
Kit Peters about 4 years

This fixed a problem I was having. Thanks!