How can I troubleshoot an S3AccessDenied error from my file gateway's CloudWatch health logs?

Resolution

To resolve an S3AccessDenied error, you must review the permissions policies associated with your file share. Then, you must add any required permissions that are missing. Identify the permissions that you must review based on when you get the Access Denied error:

• Creating the file share and the file share is stuck in the creating or unavailable state
• Writing files to the file share
• Reading files from the file share

Creating the file share and the file share is stuck in the creating or unavailable state

If you get the Access Denied error when creating the file share, and the file share is stuck in the creating or unavailable state, the CloudWatch log is similar to the following:

{
"severity": "ERROR",
"bucket": "AWSDOC-EXAMPLE-BUCKET",
"prefix": "",
"roleArn": "arn:aws:iam::123456789:role/service-role/StorageGatewayBucketAccessRolec6914add-b232-40dc-abef-4a9eeaaed8",
"source": "share-ABCD1234",
"type": "S3AccessDenied",
"operation": "s3:ListObjects",
"gateway": "sgw-ABCD1234",
"timestamp": "1597486809991"
}

Review the following permissions settings:

1.    Check the AWS Identity and Access Management (IAM) role that's associated with your file share to confirm that it has the following permissions for the associated Amazon Simple Storage Service (Amazon S3) bucket:

• s3:GetBucketLocation
• s3:ListBucket

2.    Review the bucket policy of the associated bucket to confirm that there are no explicit deny statements ("Effect": "Deny") that block the access needed for the following permissions:

• s3:GetBucketLocation
• s3:ListBucket

3.    If the Amazon Virtual Private Cloud (Amazon VPC) that the file gateway is in uses a VPC endpoint for Amazon S3, then review the VPC endpoint policy. Confirm that the policy allows your file gateway to access the S3 bucket and objects.

Writing files to the file share

If you get the Access Denied error when writing files to the file share, the CloudWatch log is similar to the following:

{
"severity": "ERROR",
"bucket": "AWSDOC-EXAMPLE-BUCKET",
"prefix": "/test1",
"roleArn": "arn:aws:iam::123456789:role/service-role/StorageGatewayBucketAccessRole0617b6ee-4809-48bc-b646-8dda9e9c32",
"source": "share-ABCD1234",
"type": "S3AccessDenied",
"operation": "S3Upload",
"gateway": "sgw-ABCD1234",
"timestamp": "1597493322178"
}

Review the following permissions settings:

1.    Check the IAM role that's associated with your file share to confirm that it has the following permissions for the associated Amazon S3 bucket:

• s3:PutObject
• s3:PutObjectAcl

2.    Review the bucket policy of the associated bucket to confirm that there are no explicit deny statements ("Effect": "Deny") that block the access that you need for the following permissions:

• s3:PutObject
• s3:PutObjectAcl

3.    If the Amazon VPC that the file gateway is in uses a VPC endpoint for Amazon S3, then review the VPC endpoint policy. Confirm that the policy allows your file gateway to access the S3 bucket and objects.

4.    If the associated S3 bucket is encrypted with AWS Key Management Service (AWS KMS), then review the encryption key's policy. The key policy must grant the following permissions to the IAM role that's associated with your file share:

• kms:Decrypt
• kms:Encrypt
• kms:ReEncrypt
• kms:GenerateDataKey
• kms:DescribeKey

If your file share's IAM role and the AWS KMS key belong to different AWS accounts, then these permissions must be set within both the key policy and the IAM role's policy.

Reading files from the file share

If you get the Access Denied error when reading files from the file share, the CloudWatch log is similar to the following:

{
"severity": "ERROR",
"bucket": "AWSDOC-EXAMPLE-BUCKET",
"prefix": "/test1",
"roleArn": "arn:aws:iam::123456789:role/service-role/StorageGatewayBucketAccessRole0617b6ee-4809-48bc-b646-8dda9e9c32",
"source": "share-ABCD1234",
"type": "S3AccessDenied",
"operation": "s3:HeadObject",
"gateway": "sgw-ABCD12347",
"timestamp": "1597488260202"
}

Review the following permissions settings:

1.    Check the IAM role that's associated with your file share to confirm that it has the following permissions for the associated Amazon S3 bucket:

• s3:GetObject
• s3:GetObjectAcl

2.    Review the bucket policy of the associated bucket to confirm that there are no explicit deny statements ("Effect": "Deny") that block the access that you need for the following permissions:

• s3:GetObject
• s3:GetObjectAcl

3.    If the Amazon VPC that the file gateway is in uses a VPC endpoint for Amazon S3, then review the VPC endpoint policy. Confirm that the policy allows your file gateway to access the S3 bucket and objects.

4.    If the associated S3 bucket is encrypted with AWS KMS, then review the encryption key's policy. The key policy must grant the following permissions to the IAM role that's associated with your file share:

• kms:Decrypt
• kms:Encrypt
• kms:ReEncrypt
• kms:GenerateDataKey
• kms:DescribeKey

If your file share's IAM role and the AWS KMS key belong to different AWS accounts, then these permissions must be set within both the key policy and the IAM role's policy.

Note: The following example IAM policy grants your file share the required permissions for listing a bucket, as well as uploading, downloading, and deleting objects from the bucket (AWSDOC-EXAMPLE-BUCKET):

{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET",
"Effect": "Allow"
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*",
"Effect": "Allow"
}
]
}

Related information

Monitoring your file gateway