发表新帖
发表新帖

Getting Access Denied when calling the PutObject operation with bucket-level permission

前端 未结
关注
14 1231
醉话见心
醉话见心 2020-12-12 13:37

I followed the example on http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#iam-policy-example-s3 for how to grant a user access to just one buck

相关标签:
14条回答
  • 没有蜡笔的小新
    2020-12-12 13:48

    Put object operation with bucket level permission can be solved by allowing all permissions in bucket policy

    "Action": "*",
    0 讨论(0)
  • 生来不讨喜
    2020-12-12 13:51

    I was having the same error message for a mistake I made: Make sure you use a correct s3 uri such as: s3://my-bucket-name/

    (If my-bucket-name is at the root of your aws s3 obviously)

    I insist on that because when copy pasting the s3 bucket from your browser you get something like https://s3.console.aws.amazon.com/s3/buckets/my-bucket-name/?region=my-aws-regiontab=overview

    Thus I made the mistake to use s3://buckets/my-bucket-name which raises:

    An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

    0 讨论(0)
  • 南笙
    2020-12-12 13:52

    In case this help out anyone else, in my case, I was using a CMK (it worked fine using the default aws/s3 key)

    I had to go into my encryption key definition in IAM and add the programmatic user logged into boto3 to the list of users that "can use this key to encrypt and decrypt data from within applications and when using AWS services integrated with KMS.".

    0 讨论(0)
  • 没有蜡笔的小新
    2020-12-12 13:58

    If you have set public access for bucket and if it is still not working, edit bucker policy and paste following:

        {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::yourbucketnamehere",
                "arn:aws:s3:::yourbucketnamehere/*"
            ],
            "Effect": "Allow",
            "Principal": "*"
        }
    ]
}
    0 讨论(0)
  • 终归单人心
    2020-12-12 13:59

    If you have specified your own customer managed KMS key for S3 encryption you also need to provide the flag --server-side-encryption aws:kms, for example:

    aws s3api put-object --bucket bucket --key objectKey --body /path/to/file --server-side-encryption aws:kms

    If you do not add the flag --server-side-encryption aws:kms the cli displays an AccessDenied error

    0 讨论(0)
  • 说谎
    2020-12-12 14:00

    For me I was using expired auth keys. Generated new ones and boom.

    0 讨论(0)
 看不清?
提交回复
热议问题