aws s3 cp returns An error occurred (403) when calling the HeadObject operation: Forbidden

14,254

s3://s3-us-west-2.amazonaws.com/my-test-bucket/intro.jpg refers to a bucket named s3-us-west-2.amazonaws.com and the object key my-test-bucket/intro.jpg.

Access is denied because that isn't your bucket.

The correct URI here would be s3://my-test-bucket/intro.jpg.

14,254

Author by

Alexey Kucherenko

Updated on June 18, 2022

Comments

Alexey Kucherenko almost 2 years
Foreword

I guess it may be a duplication but other posts with the same problem didn't help me much.

A problem

aws s3 cp s3://s3-us-west-2.amazonaws.com/my-test-bucket/intro.jpg test.jpg
Outputs the following:
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

Bucket Policy:
```
{
    "Version": "2012-10-17",
    "Id": "Policy1539624480514",
    "Statement": [
        {
            "Sid": "Stmt1539624478431",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-test-bucket",
                "arn:aws:s3:::my-test-bucket/*"
            ]
        }
    ]
}
```
Some notes
1. intro.jpg was added by user A (who has AdministratorAccess) via AWS Console Dashboard (it's not copy file between buckets)
2. aws sts get-caller-identity returns me information about user A
  { "UserId": "AIDXXXX3KDQHYYYYXRLO", "Account": "765123991235", "Arn": "arn:aws:iam::765123991235:user/[email protected]" }
3. cat ~/.aws/config
```
[default]
region = us-west-2
output = json
```
1. cat ~/.aws/credentials points to user A access key and secret
```
[default]
aws_access_key_id = AZZZIXXXXJQZA6YYYYUQ
aws_secret_access_key = <<<<<<<<<KEY REMOVED>>>>>>>>
```
1. aws s3 ls returns the correct list of buckets
2. time is synced on my local machine correctly