AWS S3 access denied error when trying to push a build to S3

[ram-nadella]

Hi,

Thank you for creating and maintaining this plugin.

I've managed to get this plugin working using my personal AWS credentials to get an iOS app build uploaded to S3.

We're working on getting this setup in CI (Circle) and would like to create a dedicated IAM user for use in CI with the bare minimum AWS permissions to allow builds to be uploaded to S3. Before we get this into CI, I am testing with the credentials on my machine, so any CI related factors are not at play here.

I am running into Aws::S3::Errors::AccessDenied: [!] Access Denied error after a few attempts trying to set the right permissions on the new IAM account. Wanted to share what I have and try to get help from the community on S3 permissions that work.

We have a bucket dedicated to builds, let's call it bucket-name and the permissions I've tried are as follows, based on this S3 help doc:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket-name"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

I was still getting the access denied error and so I expanded the permissions to allow the client to be able to list buckets (as per AWS docs):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket-name"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": "arn:aws:s3:::bucket-name/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "*"
        }
    ]
}

But I am still getting the same error:

Aws::S3::Errors::AccessDenied: [!] Access Denied

Any help would be much appreciated!

Environment:

$ ruby --version
ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-darwin18]
$ bundle list | grep aws
  * aws-eventstream (1.0.3)
  * aws-sdk (2.11.292)
  * aws-sdk-core (2.11.292)
  * aws-sdk-resources (2.11.292)
  * aws-sigv4 (1.1.0)
  * fastlane-plugin-aws_s3 (1.6.0)
$ bundle list | grep fastlane
  * commander-fastlane (4.4.6)
  * fastlane (2.125.2)
  * fastlane-plugin-aws_s3 (1.6.0)
$

[matthewweldon]

this is also happening to me:
Aws::S3::Errors::AccessDenied: [!] Access Denied

Here's my action

aws_s3(
               access_key: ENV["S3_ACCESS_KEY"],  
               secret_access_key: ENV["S3_SECRET_ACCESS_KEY"], 
               bucket: ENV["S3_BUCKET"],
               region: "ca-central-1",
               server_side_encryption:  "AES256",
               upload_metadata: true,
               )

I've triple checked all those environment variables and can upload files directly with the same credentials, not sure where to go now.

[matthewweldon]

solved my issue, I had to specify a less public acl based on the custom default acl our bucket had. For me it was the following in my action in the fastfile:
acl: 'bucket-owner-full-control',