- Newest
- Most votes
- Most comments
How do you perform Get and Delete requests?
If you are using Lambda or EC2, make sure that the required IAM policies are set for the IAM roles.
It is also possible that the S3 bucket policy is causing the problem, so please make sure the settings are correct.
If the bucket policy has a deny section, the API execution will fail even if the IAM policy allows it.
Incidentally, the "s3:GetObject" action is required to perform S3 get objects.
By the way, would it be possible for you to share what policy you are using?
I am using the AWS SDK to perform Get and Delete requests on S3 buckets. Sure, I can show you my policy
Where is the SDK running? Is it Lambda or EC2? In such cases, set the necessary policies for IAM roles, not IAM users.
Please attach the policy doc after redacting account, resource info, also confirm if there is any SCP/permission boundary attached to the role.
here's my policy: By the way, I checked the bucket policy section, there was an "Access" value
Hi, Were you able to figure out if there is anything blocking at permission boundary or SCP. Please post here if you are still facing the issue, happy to help.
Did you check permission boundary and service control policy attached? Let me know if you are still stuck, glad to help.
Hi,
Please check following to make sure you are not missing these things:
-
If you are seeing access issues while getting the objects from S3 bucket then check following:
Is S3 bucket is encrypted with SSE-KMS CMK, if:
Yes, then does IAM role have access to this KMS Key, if: Yes, does KMS key have any explicit denied policy, if: No, you are good for KMS key part. Yes, then add IAM role to allowed role list in KMS key policy. No, add KMS key permissions in IAM role. No, check S3 bucket has explicit deny policy, if, Yes, then add IAM role to allowed role list in bucket policy. No, check if there is any SCP, which is blocking you to access/delete the bucket, if: Yes, SCP may need to be revised. No, you are good for bucket policy part as well.
-
If you are only seeing access issues while listing all S3 buckets or deleting a bucket, then:
Check if there is any service control policy(SCP) attached to your AWS account and permission boundary attached to your role, which is not letting you list buckets or delete the bucket
Relevant content
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Were you able to find the issue based on the suggestions provided here? Please let us know if you are still facing the issue, if my answer helped you to isolate the issue, please accept the answer. Thank you!