Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
AWS Datasync Location creation fails says: could not perform s3:GetObject in bucket, although FullS3Access is provided
Although giving Full-S3Access permission or using the one autogenerated, it keeps giving me this error.
Failed to create location
Request ID
61a9cfb1-6a00-4b6b-b9a6-d930f9166f87
Action
datasync:CreateLocationS3
Status code
400
API response
DataSync location access test failed: could not perform s3:GetObject in bucket staging-server-****-backend. Access denied. Ensure bucket access role has s3:GetObject permission.
Steps to reproduce:
1. Opened AWS Datasync
2. Create Location
3. Fill out as Location Type S3 (according to the screenshot attached)
4. Use Autogenerate S3 Role
5. ERROR
- Newest
- Most votes
- Most comments
Is the S3 bucket in the same AWS account as the IAM role? Is SSE-KMS or SSE-S3 chosen as the default encryption option for the bucket?
If SSE-KMS is used, the kms:Decrypt and kms:GenerateDataKey permissions to the corresponding KMS key ARN must be explicitly permitted for the IAM role accessing the bucket.
If the IAM role and the resources are in different accounts, then the IAM policies attached to the role and the resource-based policies of the target resources (like bucket policies for S3 and key policies or key grants for KMS) must both grant the permissions.
Relevant content
- asked 10 months ago
Thanks @Leo K. It made it work. I wonder why the auto-generated role didn't created this permissions for me :)