Why can my IAM user create a bucket but not upload to it?

11,285

First you need to understand that bucket names are unique across the whole amazon domain. So if a user already has a bucket named "backup", you will not be able to create a new one with this name.

That been said, You have two main ways to manage permissions of buckets.

When creating a bucket you should have the permission to upload/download by default. You can check this by going to your bucket, click on your bucket name, then "properties" and finally "permission". Here, please check that your IAM user is listed in the granted permissions. You can add other permissions if needed

otherwise, you also can use bucket policy (same place as permissions mentioned above). You will find bucket policies example here. As an example, something like this one should make your bucket public:

{"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "myPolicy",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "*",
        "Resource": [
            "arn:aws:s3:::YOUR_BUCKET_NAME/*",
            "arn:aws:s3:::YOUR_BUCKET_NAME"
        ]
    }
]}

11,285

Darren Cook

I'm data scientist, software developer, computer book author, entrepreneur. I'm director at QQ Trends, a company that solves difficult data and software challenges for our clients. Lots of machine learning, especially NLP-related, recently. (We sometimes have freelance projects, so get in touch if interested.) (Contact me at dc at qqtrend dot com: please mention you are coming from StackOverflow, so I know it is not spam.) My first book was "Data Push Apps with HTML5 SSE", with O'Reilly, 2014 (ISBN: 978-1449371937). Old by computer standards, but the standard has been stable, so surprisingly still useful. My second book, at the end of 2016, also with O'Reilly, was Practical Machine Learning with H2O (ISBN: 978-1491964606). I'm British, speak English and Japanese (fairly fluent, 1 kyu), with a bit of German, Chinese and Arabic. As for computer languages, I've done commercial work in most of them; but it has been mostly JavaScript, R, Python, C++ the past five years. All my Stack Overflow and all my Stack Exchange contributions (across all sites) are dedicated to the public domain or available under the CC0 license at your choice. I don't like viral licenses. Easy ways to irritate me on StackExchange sites (whether my own question or someone else's): 1. Downvote without a comment (N/A if someone already left a comment and you just agree with it, of course); 2. Answers in comments. Other than that I'm an easy-going and pragmatic guy :-)

Updated on September 18, 2022

Comments

Darren Cook over 1 year
UPDATE: everything works fine the next day!?! So I think the answer might be that you have to wait some period of time, either after creating a new IAM user, or after creating a new bucket, before uploads will work.

I created a dedicated IAM user, then did aws configure, and gave the key, and specified the "eu-west-1" region. I can see the correct information in ~/.aws/config.

I tried aws s3 mb s3://backup but got told it already existed. aws s3 ls confirmed it did not. However aws s3 mb s3://backup-specialtest did work.

But when I try aws s3 cp test.tgz s3://backup-specialtest I get:
```
A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Anonymous users cannot initiate multipart uploads.  Please authenticate.
```
It is not just big files that are the problem. I made a 6-byte text file, and tried to upload with aws s3 cp test.txt s3://backup-specialtest/ but get:
```
upload failed: ./test.txt to s3://backup-specialtest/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied
```
Trying aws s3 ls s3://backup-specialtest gives me:
```
A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied
```
Trying aws s3api get-bucket-acl --bucket backup-specialtest gives me:
```
A client error (AccessDenied) occurred when calling the GetBucketAcl operation: Access Denied
```
I had already attached the "AmazonS3FullAccess" policy to my user, in the AWS web console. When I click show policy I get:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
```
That looks good: he can do all S3 actions, on all resources.

While writing this I thought I'd double-check I could still create a new bucket, and hadn't broken anything along the way. So I tried aws s3 mb s3://another-test and got:
```
make_bucket failed: s3://another-test/ A client error (BucketAlreadyExists) occurred when calling the CreateBucket operation: The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again.
```
But when I try: aws s3 mb s3://another-test-2 I get success:
```
make_bucket: s3://another-test-2/
```
And it is there: aws s3 ls
```
2015-11-13 11:07:10 another-test-2
2015-11-13 10:18:53 backup-specialtest
2014-08-05 21:00:33 something-older
```
(That last bucket appears to have been created by the root user, last year, and is empty.)
- EEAA over 8 years
  
  FYI, in normal usage, there is precisely zero propagation delay when assigning IAM policy. That's not to say there wasn't some other issue going on in your situation that caused temporary delays.
Darren Cook over 8 years

Thanks; I didn't realize bucket names had to be globally unique. I just updated my question to say everything just worked today. Both yesterday and today the permissions had a single entry for the account owner (not explicitly my IAM user). But as it is now working, with those settings, that must be acceptable.
Tom over 8 years

glad it s working now :)