digitalwise
asked on
Copying to an AWS S3 bucket from my local computer - access denied
We are trying to copy a file using the CLI for AWS to an S3 bucket.
aws s3 cp e:\myfolder\2020\11\15 s3://xmode-data-exports/XXXXX/2020/11/15 --recursive --include *
We are getting an error message: An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied
We have a policy on the bucket:
{
"Version": "2012-10-17",
"Id": "PolicyXXX",
"Statement": [
{
"Sid": "StmtXXXX",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXX:user/transfer2"
},
"Action": [
"s3:GetObject",
"s3:Get*",
"s3:List*",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutObject",
"s3:GetObjectTagging",
"s3:PutObjectTagging",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
]
}
]
}
Any ideas? These permissions are going to be the death of me.
aws s3 cp e:\myfolder\2020\11\15 s3://xmode-data-exports/XXXXX/2020/11/15 --recursive --include *
We are getting an error message: An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied
We have a policy on the bucket:
{
"Version": "2012-10-17",
"Id": "PolicyXXX",
"Statement": [
{
"Sid": "StmtXXXX",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXX:user/transfer2"
},
"Action": [
"s3:GetObject",
"s3:Get*",
"s3:List*",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutObject",
"s3:GetObjectTagging",
"s3:PutObjectTagging",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
]
}
]
}
Any ideas? These permissions are going to be the death of me.
ASKER
Some further information - I can copy from the source bucket to my local computer and I can then copy the file from my local computer to my destination bucket (that we own) using the IAM from my server. The IAM has access to both buckets (clearly since I can move files) but if I do a direct copy from the source bucket to the destination bucket we get An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied.
That permission is on the IAM for both source and destination buckets.
That permission is on the IAM for both source and destination buckets.
You can restrict access using IAM policy or Bucket policy. Since you are using same IAM role, please check is there any bucket policy or ACLS set inside bucket.
Hope bucket owners are same for Source and Target.
Hope bucket owners are same for Source and Target.
You can use the aws policy simulator to check if the IAM user you are using for this operation has the right permissions.
https://policysim.aws.amazon.com/home/index.jsp?#
https://policysim.aws.amazon.com/home/index.jsp?#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you!
Check the IAM policy attached to the transfer2 user. (Ensure transfer2 user has sufficient right for above actions. If you are not sure, assign S3 admin access and test)