Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Unable to perform upload to S3 bucket

0

Hi, I have a user with below IAM policy, I am unable to upload object to my S3 bucket and getting access denied error. So do I need any other permissions to allow me to upload files ? { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:ListAllMyBuckets", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket-name" ], "Effect": "Allow" } ] }

Topics
Storage
Tags
Storage
Language
English
asked a year ago448 views
3 Answers
1
Accepted Answer

Hi,

For performing upload to S3 bucket, you will need the resource "arn:aws:s3:::bucket-name/*". You need to specify both in the resource section while granting the aforementioned S3 permissions.

"arn:aws:s3:::bucket-name" and "arn:aws:s3:::bucket-name/*"

Below are the resources that should be specified depending upon the type of S3 Actions:

[1] For the Bucket Level Operations (such as GetBucketLocation, ListBucket..) the resource Arn is "arn:aws:s3:::bucket-name".

[2] For the Object Level Operations (such as GetObject, GetObjectAcl, PutObject..) the resource Arn is "arn:aws:s3:::bucket-name/*".

Hope you find this helpful.

Thanks,

Helpful links:

[1] https://repost.aws/knowledge-center/s3-troubleshoot-403

[2] https://repost.aws/knowledge-center/s3-403-forbidden-error

AWS
SUPPORT ENGINEER
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
1

Hello.

Please modify the IAM policy as below.
The "PutObject" action is an object-level restriction, so you need to add "arn:aws:s3:::bucket-name/*" to "Resource".
Also, since "ListAllMyBuckets" cannot be restricted by the "Resource" section, you need to split the statement as shown below and change the "Resource" section to "*".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html

The IAM policy below is an example.

{ 
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [ 
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::kobayashi-example/*",
                "arn:aws:s3:::kobayashi-example"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [ 
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}
EXPERT
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
0

Hi follow the steps to resolve issue

The issue: You're encountering an "access denied" error when trying to upload an object to your S3 bucket, even though your IAM user policy seems to have the necessary permissions (including s3:PutObject).

Check Bucket Policy:

  • Go to the S3 console and navigate to your bucket.
  • Click on the Permissions tab.
  • Review the bucket policy for any explicit "Deny" statements that might be overriding your IAM user's permissions. Look for conditions that restrict access based on user or role.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

The specific error message can provide valuable clues. When encountering the "access denied" error, note down the complete error message. It might contain details about the denied permission or resource.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshoot-403-errors.html

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content