CreateMultipartUpload operation - AWS policy items needed?
Solution 1
The "s3:PutObject" handles the CreateMultipartUpload operation so I guess there is nothing like "s3:CreateMultipartUpload".
The thing you have to change in your s3 bucket ARN is like add also "Resource": "arn:aws:s3:::mybucket"
Final policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::mybucket"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
Solution 2
If it's cross accounts access, check it is not related to ACL headers as mentioned here: https://stackoverflow.com/a/34055538/1736679 (more info in this issue thread: https://github.com/aws/aws-cli/issues/1674)
Also double check the environment / user from which you are running to see if there are no overriding Keys (AWS_ACCESS_KEY, etc) in /etc/environment or ~/.aws/credentials
Admin
Updated on July 22, 2022Comments
-
Admin almost 2 years
I'm doing multipart upload via aws cli console but getting this error;
A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied
Below is my policy, am I missing something in there?
Thanks.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::mybucket" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:CreateMultipartUpload", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::mybucket/*" } ] }
-
Frederic Henri about 8 yearscan you give the full command you use to upload to s3 ?
-
-
init_js over 5 yearsYou are using the
"Resource"
key twice in your last block. last two lines. Not sure which one it's supposed to be. -
s27840 over 5 yearsYou need both. One is for the bucket it's self, one is for objects in the buck (ending /*). Resource shout be an array [] with both in.
-
Putnik about 5 yearsuse array of resources like
"Resource":["arn1","arn2"]