AWS S3: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

时间:2019-02-18 00:44:52

标签: amazon-web-services amazon-s3 aws-cli

I have an AWS account with read/write permissions as shown below: enter image description here

I'd like to make it so that an IAM user can download files from an S3 bucket but I'm getting access denied when executing aws s3 sync s3://<bucket_name> . I have tried various things, but not to avail. Some steps that I did:

  1. Created a user called s3-full-access
  2. Executed aws configure in my CLI and entered the generated access key id and secret access key for the above user
  3. Created a bucket policy (shown below) that I'd hoped grants access for my user created in first step.

enter image description here

My bucket has a folder name AffectivaLogs in which files were being added anonymously by various users, and it seems like though the bucket is public, the folder inside it is not and I am not even able to make it public, and it leads to following error.

enter image description here

Following are the public access settings:

enter image description here

Update: I updated the bucket policy as follows, but it doesn't work.

enter image description here

3 个答案:

答案 0 :(得分:0)

为了测试这种情况,我做了以下事情:

  • 创建了一个 IAM用户,没有附加政策
  • 创建了一个 Amazon S3存储桶
  • 关闭S3阻止公共访问设置:
    • 阻止新的公共存储桶策略
    • 如果存储桶具有公共策略,则阻止公共和跨帐户访问
  • 添加了存储桶策略,为IAM用户授予s3:*对存储桶的内容的访问权限

然后我跑aws s3 sync并得到Access Denied

然后,我修改了策略以允许访问存储桶本身

{
    "Id": "Policy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "statement",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-bucket/*",
                "arn:aws:s3:::my-bucket"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:user/stack-user"
                ]
            }
        }
    ]
}

这行得通。

底线::除了存储桶的内容之外,还添加访问存储桶的权限。 (我怀疑这是因为aws s3 sync除了访问对象本身之外,还需要列出存储桶内容。)

答案 1 :(得分:0)

您可以使用所需的 principal

配置 S3 策略 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountId:user/*
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket"
        },
        {
            "Sid": "GetObjects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountId:user/*
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket/*"
        }
    ]
}

或者您可以创建 IAM 策略并将其附加到角色

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::bucket"
        },
        {
            "Sid": "GetObject",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::bucket/*"
        }
    ]
}

答案 2 :(得分:0)

如果您使用对存储桶启用的 KMS 加密,您还应该添加允许您使用 KMS 密钥解密数据的策略。

相关问题
最新问题