Unable to list s3 buckets using IAM user with AdministratorAccess and AmazonS3FullAccess

0

Hello Folks,

I created an IAM user as per best practice and granted this user the following policies:

  1. AdministratorAccess { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
  2. AmazonS3FullAccess { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", "s3-object-lambda:*" ], "Resource": "*" } ] }

And configured the AWS CLI to use the Access keys for the IAM user. When trying to list all the buckets on the account using the IAM user, I am getting the following error: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Don't understand why it's returning an AccessDenied error as the IAM user has the necessary permission to be able to run any action on any resource. Would appreciate some help/guidance on this. Thank you!

2개 답변
3
수락된 답변

There could be a mismatch somewhere, run aws configure list to show the actual credentials that you are using in the AWS CLI right now, and verify that the (partially obscured) access_key and secret_key are those that you expect to be using.

profile picture
전문가
Steve_M
답변함 일 년 전
profile picture
전문가
검토됨 4달 전
  • Thank you for your answer on this. I ran: aws configure list and the access_key and secret_key are what I'm expecting the CLI to use. When I run: aws s3 ls (using the root accounts' access key), the buckets are returned without an issue. Don't understand why I'm not able to do the same with the IAM User with admin permissions.

  • As the root user, aws iam list-attached-user-policies --user-name [the_iam_user] and confirm it's definitely got "PolicyName": "AdministratorAccess" and "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess".

    And also as the root user, aws iam list-access-keys --user-name [the_iam_user] the AccessKeyId is definitely what you expect it to be, and its status is Active ?

  • You were right on the money. After running aws iam list-attached-user-policies --user-name [the_iam_user], I noticed AdministratorAccess was not one of the policies attached to the IAM user. I was attaching the policies from a group, for some reason the user didn't inherit the permissions of the group. I added the policy directly to the IAM user and that resolved the issue. Thanks a lot for your help.

1

Run the following command to make sure you are the principle you think you are.

aws sts get-caller-identity

If that is correct, check to see if there is a bucket policy on the bucket that might be denying your request.

profile pictureAWS
전문가
kentrad
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠