Access Denied - When running "aws s3api list-buckets" from AWS CLI

Question

Bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::$AccountID:user/$username"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::$BucketName"
        },
        {
            "Sid": "statement2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::$AccountID:user/$username"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::$BucketName/*"
        }
    ]
}

From AWS CLI, got the "Access Denied" error when trying the List Bucket command as the above $username:

C:\>aws s3api list-buckets --profile $username

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

However, the same command above with the "Default" profile works fine:

C:\>aws s3api list-buckets (works fine)

The AWS CLI installed is the latest version as of today, June 9 2023.

Answer

The bucket may allow the $Username to list buckets, but what is the IAM permissions for the actual $username itself?  Both the IAM permissions for the entity AND the resource policy for the bucket must both allow the action, otherwise you may have the IAM policy associated with the $username causing the deny.

Access Denied - When running "aws s3api list-buckets" from AWS CLI

Contenido relevante