What is causing Access Denied when using the aws cli to download from Amazon S3?

Solution 1:

I was struggling with this, too, but I found an answer over here https://stackoverflow.com/a/17162973/1750869 that helped resolve this issue for me. Reposting answer below.


You don't have to open permissions to everyone. Use the below Bucket policies on source and destination for copying from a bucket in one account to another using an IAM user

Bucket to Copy from – SourceBucket

Bucket to Copy to – DestinationBucket

Source AWS Account ID - XXXX–XXXX-XXXX

Source IAM User - src–iam-user

The below policy means – the IAM user - XXXX–XXXX-XXXX:src–iam-user has s3:ListBucket and s3:GetObject privileges on SourceBucket/* and s3:ListBucket and s3:PutObject privileges on DestinationBucket/*

On the SourceBucket the policy should be like:

{
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::SourceBucket",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
    },
    {
        "Sid": "Stmt1357935676138",
        "Action": ["s3:GetObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: SourceBucket/*",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
   }
]
}

On the DestinationBucket the policy should be:

{
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: DestinationBucket",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
    },
    {
        "Sid": "Stmt1357935676138",
        "Action": ["s3:PutObject"],
        "Effect": "Allow",
        "Resource": "arn:aws:s3::: DestinationBucket/*",
        "Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
   }
]
}

command to be run is s3cmd cp s3://SourceBucket/File1 s3://DestinationBucket/File1

Solution 2:

When I faced the same issue it turned out that AWS required server-side encryption to be enabled. So the following command worked successfully for me:

aws s3 cp test.txt s3://my-s3-bucket --sse AES256

Solution 3:

I wouldn't recommend the 'Any authenticated AWS user' option mentioned by James.

Doing so adds a bucket-level ACL that allows any AWS account (not just your IAM users) to list/delete/modify-acls for that bucket.

i.e. public read/write for anyone with an aws account.


Solution 4:

I managed to fix this without having to write polices - from the S3 console (web ui) I selected the bucket and in the permissions tab chose "Any Authenticated AWS User" and ticket all the boxes.

UPDATE: as pointed out in comments "Any Authenticated AWS User" isn't just users in your account it's all AWS authenticated user, please use with caution


Solution 5:

Even if your IAM policies are set up correctly, you can still get an error like An error occurred (AccessDenied) when calling the <OPERATION-NAME> operation: Access Denied due to MFA (Multi-Factor Authentication) requirements on your credentials. These can catch you off guard because if you've already logged into the AWS console it will appear that your credentials are working fine, and the permission denied error message from aws cli is not particularly helpful.

There are some good instructions already on how to set up MFA with aws cli:

  • AWS - Authenticate AWS CLI with MFA Token
  • Stack Overflow -- How to use MFA with AWS CLI?

Basically, you need the need to get to address of your MFA device, and send that with the code from your device to get a temporary token.