How to fix AccessDenied calling CopyObject

amazon-web-services amazon-s3 terraform aws-cli bucket
32,179

Solution 1

In my case, I had no issues with some objects, however one of them had that same CopyObject error stated in the question. I was also using the sync command between cross-account buckets.

So I took a look at the Event History in AWS CloudTrail (since I had cloudtrail setup) - this helps to see what API calls are being invoked. However I did not have event logging for S3 buckets and objects enabled, so I tried a couple of changes, starting with put*, which worked. I then narrowed quickly to the one that I needed.

Ultimately, that let me to add this permission to my bucket policy: s3:PutObjectTagging.

Hope this helps you out too!

Solution 2

You are missing the s3:GetObjectTagging and s3:PutObjectTagging permissions as outlined here: https://medium.com/collaborne-engineering/s3-copyobject-access-denied-5f7a6fe0393e.

Share:
32,179
Carlos Andres
Author by

Carlos Andres

Hi everyone, I'm a novice developer that like to learn some new each day :)

Updated on September 16, 2021

Comments

  • Carlos Andres
    Carlos Andres over 2 years

    I'm trying to copy files from a bucket in A account to another bucket but in B account. When I try to sync the files with the command

    aws s3 sync s3://BUCKET_A s3://BUCKET_B

    It returns the following output:

    copy failed: s3://BUCKET_A to s3://BUCKET_B An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied

    This is the policy that was attached to user created in in B account (where will be copied files from bucket A):

    {
    "Version": "2012-10-17",
    "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket",
              "s3:GetObject",
              "s3:PutObject",
              "s3:PutObjectAcl"
          ],
          "Resource": [
              "arn:aws:s3:::BUCKET_A",
              "arn:aws:s3::: BUCKET_A/*"
          ]
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket",
              "s3:GetObject",
              "s3:PutObject",
              "s3:PutObjectAcl"
          ],
          "Resource": [
              "arn:aws:s3:::BUCKET_B",
              "arn:aws:s3:::BUCKET_B/*"
          ]
      }
    ]
}

    Probably I missing some permission? I don't find the permission CopyObject to add in my user/bucket policy

  • pmadhu
    pmadhu over 2 years
    Hi Nikhil, Improve your answer with additional information. Like explaining your code for better understanding.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to create a folder in an amazon S3 bucket using terraform
How to add lifecycle rules to an S3 bucket using terraform?
"The AWS Access Key Id you provided does not exist in our records." when trying to use AWS CLI
Unknown Options when Using aws s3 mv
Output AWS CLI "sync" results to a txt file
HTTPSConnectionPool(host='s3-us-west-1b.amazonaws.com', port=443): Max retries exceeded with url
List files on S3
Terraform AWS S3 to Lambda Notification Trigger
AWS S3 CLI - Connection was closed before we received a valid response from endpoint
AWS S3 Bucket with Multiple Regions