- Newest
- Most votes
- Most comments
I resolved this by adding those permissions about km key used to encrypt the files to my app-user :
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:ca-region:12457989948784:key/abcde1111-7b212154-xdxsddxzsdf545sz",
"Effect": "Allow"
}
]
}
Do you have an S3 bucket policy that denies access to the target files?
You need to allow s3:GetObject
in your IAM policy or S3 bucket policy.
How do I troubleshoot 403 Access Denied errors from Amazon S3? https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/?nc1=h_ls
Limiting presigned URL capabilities https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html#PresignedUrlUploadObject-LimitCapabilities
the issue comes from the KMS key used to encrypt s3 objects: the key policy accepts only the root user as a principal, my app IAM user has all access rights to the KMS key. Should I also add him as principal on the key policy?
because I'm able to upload and able to decrypt messages from SQS with no problem without modifying the key policy, not sure why doesn't work for pre-signedURL (access denied)?
Thank you.
Thank you for your comment. As a test, I encrypted S3 with the following KMS policy in my environment.
{ "Id": "key-consolepolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::xxxxxxxxxxx:root" }, "Action": "kms:*", "Resource": "*" } ] }
I then issued a URL from CloudShell with the following command, and was able to access the file. (not root user)
aws s3 presign s3://xxxxxxxxxxxxxx/testimage.png
Protecting data using server-side encryption https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
if you share your objects using a presigned URL, that URL works the same way for both encrypted and unencrypted objects.
Therefore, it does not seem to be a KMS policy issue. If possible, could you tell me what your S3 bucket policy is?
Relevant content
- Accepted Answerasked 10 months ago
- asked a year ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
I'm glad the problem is solved. Thanks for sharing.