AWS S3 Access Denied on delete

问题

I have a bucket that I can write to with no problem. However, when I try to delete an object, I get an error ...

AccessDeniedException in NamespaceExceptionFactory.php line 91

Following the very basic example here, I came up with this command ...

$result = $s3->deleteObject(array(
                'Bucket' => $bucket,
                'Key'    => $keyname
            ));

I have tried variations of this based upon other tutorials and questions I have found.

$result = $s3->deleteObject(array(
                'Bucket' => $bucket,
                'Key'    => $keyname,
                'Content-Type'  => $contentType,
                'Content-Length' => 0
            ));

But everything produces the same error. Any suggestions?

回答1:

User may be able to create an object in a bucket doesn't necessarily imply that the same user can deleted the object that he/she may have created.

S3 permission can be granular at the resource level (bucket/prefix) where the action that your role can take could be one or many of the permissions (see: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html)

It looks like you are having s3:PutObject permission but not s3:DeleteObject.

回答2:

Its quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes).Its quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes).

You can check if you really have access to the specific bucket actions, use the iam get-role-policy API to view the permissions you have for the role that you are using to try to delete. Here is an example:

 

$ aws iam get-role-policy --role-name <<your-role-name>> --policy-name <<your-policy-name>>
{
    "RoleName": "myrolename,
    "PolicyDocument": {
        "Version": "yyyy-mm-dd",
        "Statement": [
            {
                "Action": [
                    "s3:AbortMultipartUpload",
                    "s3:DeleteObject",
                    "s3:Get*",
                    "s3:List*",
                    "s3:ListBucket",
                    "s3:PutObject*"
                ],
                "Resource": [
                    "arn:aws:s3:::bucket1/*",
                    "arn:aws:s3:::bucket2/*"                ],
                "Effect": "Allow",
                "Sid": "yyyy"
            }
        ]
    },
    "PolicyName": "mypolicyname"
}

Most likely in your case, you may not have the "s3:DeleteObject" action for that resource (bucket/prefix)

来源：https://stackoverflow.com/questions/42658141/aws-s3-access-denied-on-delete

标签

amazon-web-services

amazon-s3

aws-php-sdk