Why can my IAM user create a bucket but not upload to it?
First you need to understand that bucket names are unique across the whole amazon domain. So if a user already has a bucket named "backup", you will not be able to create a new one with this name.
That been said, You have two main ways to manage permissions of buckets.
- When creating a bucket you should have the permission to upload/download by default. You can check this by going to your bucket, click on your bucket name, then "properties" and finally "permission". Here, please check that your IAM user is listed in the granted permissions. You can add other permissions if needed
-
otherwise, you also can use bucket policy (same place as permissions mentioned above). You will find bucket policies example here. As an example, something like this one should make your bucket public:
{"Version": "2012-10-17", "Statement": [ { "Sid": "myPolicy", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME" ] } ]}
Related videos on Youtube
Darren Cook
I'm data scientist, software developer, computer book author, entrepreneur. I'm director at QQ Trends, a company that solves difficult data and software challenges for our clients. Lots of machine learning, especially NLP-related, recently. (We sometimes have freelance projects, so get in touch if interested.) (Contact me at dc at qqtrend dot com: please mention you are coming from StackOverflow, so I know it is not spam.) My first book was "Data Push Apps with HTML5 SSE", with O'Reilly, 2014 (ISBN: 978-1449371937). Old by computer standards, but the standard has been stable, so surprisingly still useful. My second book, at the end of 2016, also with O'Reilly, was Practical Machine Learning with H2O (ISBN: 978-1491964606). I'm British, speak English and Japanese (fairly fluent, 1 kyu), with a bit of German, Chinese and Arabic. As for computer languages, I've done commercial work in most of them; but it has been mostly JavaScript, R, Python, C++ the past five years. All my Stack Overflow and all my Stack Exchange contributions (across all sites) are dedicated to the public domain or available under the CC0 license at your choice. I don't like viral licenses. Easy ways to irritate me on StackExchange sites (whether my own question or someone else's): 1. Downvote without a comment (N/A if someone already left a comment and you just agree with it, of course); 2. Answers in comments. Other than that I'm an easy-going and pragmatic guy :-)
Updated on September 18, 2022Comments
-
Darren Cook over 1 year
UPDATE: everything works fine the next day!?! So I think the answer might be that you have to wait some period of time, either after creating a new IAM user, or after creating a new bucket, before uploads will work.
I created a dedicated IAM user, then did
aws configure
, and gave the key, and specified the "eu-west-1" region. I can see the correct information in ~/.aws/config.I tried
aws s3 mb s3://backup
but got told it already existed.aws s3 ls
confirmed it did not. Howeveraws s3 mb s3://backup-specialtest
did work.But when I try
aws s3 cp test.tgz s3://backup-specialtest
I get:A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Anonymous users cannot initiate multipart uploads. Please authenticate.
It is not just big files that are the problem. I made a 6-byte text file, and tried to upload with
aws s3 cp test.txt s3://backup-specialtest/
but get:upload failed: ./test.txt to s3://backup-specialtest/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied
Trying
aws s3 ls s3://backup-specialtest
gives me:A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied
Trying
aws s3api get-bucket-acl --bucket backup-specialtest
gives me:A client error (AccessDenied) occurred when calling the GetBucketAcl operation: Access Denied
I had already attached the "AmazonS3FullAccess" policy to my user, in the AWS web console. When I click show policy I get:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }
That looks good: he can do all S3 actions, on all resources.
While writing this I thought I'd double-check I could still create a new bucket, and hadn't broken anything along the way. So I tried
aws s3 mb s3://another-test
and got:make_bucket failed: s3://another-test/ A client error (BucketAlreadyExists) occurred when calling the CreateBucket operation: The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again.
But when I try:
aws s3 mb s3://another-test-2
I get success:make_bucket: s3://another-test-2/
And it is there:
aws s3 ls
2015-11-13 11:07:10 another-test-2 2015-11-13 10:18:53 backup-specialtest 2014-08-05 21:00:33 something-older
(That last bucket appears to have been created by the root user, last year, and is empty.)
-
EEAA over 8 yearsFYI, in normal usage, there is precisely zero propagation delay when assigning IAM policy. That's not to say there wasn't some other issue going on in your situation that caused temporary delays.
-
-
Darren Cook over 8 yearsThanks; I didn't realize bucket names had to be globally unique. I just updated my question to say everything just worked today. Both yesterday and today the permissions had a single entry for the account owner (not explicitly my IAM user). But as it is now working, with those settings, that must be acceptable.
-
Tom over 8 yearsglad it s working now :)