-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Put - Access Denied with s3:PutObject policy #813
Comments
I think this might be our bug. I wasn't aware of the need for a This appears to work: {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::foo/bar/*"
],
"Effect": "Allow"
}
]
} |
Well, I'll reopen this issue for thought because the error message was unhelpful. It could have told me that it was doing a |
+1 I had the same problem and I solved it adding |
+1 Thanks for this issue! That solved it for me as well. A better error message would be helpful, though. |
I think our best bet here would be to update our documentation. Part of the problem from the CLI side is that we don't actually know why the request failed. The error message we display is take directly from the XML response returned by S3:
So this could fail because of the missing Leaving this open and tagging as documentation so we'll get all the s3 docs updated with the appropriate policies needed. |
+1 of PutObjectAcl being the culprit of much pain in my deployment as well |
+1 |
1 similar comment
+1 |
To summarize, this issue happens when you try to set an ACL on an object via the
Given my previous comment, I'd propose updating the documentation for Thoughts? cc @kyleknap @mtdowling @rayluo @JordonPhillips |
Also updated one of the ``s3 cp`` examples using the ``--acl`` option to show an example policy. Closes aws#813.
@jamesls a slightly more discoverable fix would be to say "A client error (AccessDenied) occurred when calling the PutObjectAcl operation", since that would make it clear what's failing and that it's missing from my policy. Otherwise I'll just see the error complaining that it tried to |
Not sure how possible that would be to implement because the actual command we're invoking is is |
this really caused me some time to debug. |
@jamesls I didn't use --acl, but still my command gives error " access denied when calling the put operation".. What could be the reason? |
@jamesls I think the error message being generic is fine, but the help to debug is not. There is no mention of ACL or policy problems to guide developers to the right place(s) to check. |
@jamesls when I use --exclude "folder/" is not working with nested folders. |
why does "aws cp" cli tool work without the "s3:PutObjectAcl" ? |
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied |
Note: the failed call to |
|
This still happens. In my case, CodeBuild was telling me that |
currently stabbing my eyes out trying to figure this out! lol |
Uploading a file really shouldn't be that complicated, yet here we are. Never fail to amaze me, AWS. |
Had the same issue with my setup. Turns out if your bucket is encrypted you need to use the |
Experiencing the same issue
Working if i disable default KMS encryption. |
My error that lead to the I used |
I encountered a similar issue where including "s3:PutObjectAcl" still did not solve the issue. The issue occurred while using an IAM user belonging to a different AWS account than the S3 Bucket granting access via bucket policy. Changing the Bucket policy to use a Principal role with identical permissions, but belonging to the same AWS Account, solved the issue in this case.
Solution: Use an IAM user belonging to the same AWS Account as the S3 Bucket in question. |
I have the following policy for my instance role:
If I try to
Then I get:
If I change the policy to allow
s3:*
rather than justPutObject
, the it works. It doesn't work if I addListObject
.Any ideas?
The text was updated successfully, but these errors were encountered: