S3 Access Denied on Delete

Bucket owner (your AWS account) Objects: List, Write | Bucket ACL: Bucket ACL

Other areas to check are that the bucket policy may not have been set properly or that S3 object locks may have been set and the deletion may have failed.

@Riku_Kobayashi object lock is disabled and the Below is the bucket policy { "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "AllowCloudFrontServicePrincipal", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:", "Resource": "arn:aws:s3:::s3-bucket-name/", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::123456789:distribution/E28ZKDUMCHA3V0" } } }, { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789:role/test_s3_restricted_access" }, "Action": [ "s3:DeleteObjectVersion", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::s3-bucket-name/*", "arn:aws:s3:::s3-bucket-name" ] } ] }

When specifying an IAM role in Principal, you must also include the ARN of the assumed-role issued by STS, as shown below.

"arn:aws:sts::AccountID:assumed-role/role_name/session_name"

The ARN can be checked with the following command.

aws sts get-caller-identity

When running on EC2, the session ID is output as an instance ID as shown below. I would set this ARN in the bucket policy so that it can be removed from that EC2.

"Arn": "arn:aws:sts::123456789:assumed-role/EC2DefaultRole/i-05xxxxxxxxxx"

In other words, if you are deleting from EC2, the bucket policy would be as follows.

{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "AllowCloudFrontServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:",
"Resource": "arn:aws:s3:::s3-bucket-name/",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::123456789:distribution/E28ZKDUMCHA3V0"
}
}
},
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::123456789:assumed-role/EC2DefaultRole/i-05xxxxxxxxxx"
},
"Action": [
"s3:DeleteObjectVersion",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::s3-bucket-name/*",
"arn:aws:s3:::s3-bucket-name"
]
}
]
}

we are trying to delete it from the api and put:object worked properly only issue is while deleting we are facing the issue

We have uploaded the file successfully https://s3-bucket-name.amazonaws.com/user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/MicrosoftTeams-image%2813%29.png?x-id=PutObject

https://s3-bucket-name.amazonaws.com/user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/sonar_email_unsubscribe_before.png?x-id=PutObject

https://s3-bucket-name.amazonaws.com/user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/MicrosoftTeams-image%2816%29.png?x-id=PutObject

but deleting is getting access Denied

Delete:

Endpoint - https://s3-bucket-name.amazonaws.com/?delete=&x-id=DeleteObjects

Method - POST

Payload -

Response -

<DeleteResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Error><Key>user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/sonar_email_unsubscribe_before.png</Key><Code>AccessDenied</Code><Message>Access Denied</Message></Error><Error><Key>user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/MicrosoftTeams-image(16).png</Key></Object></Delete>