Unable to list s3 buckets using IAM user with AdministratorAccess and AmazonS3FullAccess

0

Hello Folks,

I created an IAM user as per best practice and granted this user the following policies:

  1. AdministratorAccess { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
  2. AmazonS3FullAccess { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", "s3-object-lambda:*" ], "Resource": "*" } ] }

And configured the AWS CLI to use the Access keys for the IAM user. When trying to list all the buckets on the account using the IAM user, I am getting the following error: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Don't understand why it's returning an AccessDenied error as the IAM user has the necessary permission to be able to run any action on any resource. Would appreciate some help/guidance on this. Thank you!

2回答
3
承認された回答

There could be a mismatch somewhere, run aws configure list to show the actual credentials that you are using in the AWS CLI right now, and verify that the (partially obscured) access_key and secret_key are those that you expect to be using.

profile picture
エキスパート
Steve_M
回答済み 1年前
profile picture
エキスパート
レビュー済み 4ヶ月前
  • Thank you for your answer on this. I ran: aws configure list and the access_key and secret_key are what I'm expecting the CLI to use. When I run: aws s3 ls (using the root accounts' access key), the buckets are returned without an issue. Don't understand why I'm not able to do the same with the IAM User with admin permissions.

  • As the root user, aws iam list-attached-user-policies --user-name [the_iam_user] and confirm it's definitely got "PolicyName": "AdministratorAccess" and "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess".

    And also as the root user, aws iam list-access-keys --user-name [the_iam_user] the AccessKeyId is definitely what you expect it to be, and its status is Active ?

  • You were right on the money. After running aws iam list-attached-user-policies --user-name [the_iam_user], I noticed AdministratorAccess was not one of the policies attached to the IAM user. I was attaching the policies from a group, for some reason the user didn't inherit the permissions of the group. I added the policy directly to the IAM user and that resolved the issue. Thanks a lot for your help.

1

Run the following command to make sure you are the principle you think you are.

aws sts get-caller-identity

If that is correct, check to see if there is a bucket policy on the bucket that might be denying your request.

profile pictureAWS
エキスパート
kentrad
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ