By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access Denied with S3 SDK

0

My user has been given permissions on all buckets and all objects in the bucket. I can also list all buckets and create objects inside buckets using my Web Management Console. I have created access keys for my account, but using them to perform any bucket action (list/get objects) results in Access Denied. AWS logs that I tried to use the access key x minutes ago for S3, but I get access denied for any bucket operation. Where do I look next to solve this? Thank you.

Using boto3==1.34.32.

Example errors:

ClientError: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

ClientError: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access Management
Language
English
vidhi
asked 2 months ago98 views
2 Answers
0

Hi,

You probably have an authentication / authorization issue when coming via SDK and boto3. It's well explained here: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html

I personally use the env vars AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY when working with Python SDK.

To see under which identity you currently run, just place a call to boto3 STS get_caller_identity()

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 2 months ago
profile picture
EXPERT
Dmytro Sirant
reviewed 2 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 2 months ago
  • vidhi
    2 months ago

    I've re-tried using environment variables (was using credential file previously), but no luck. I can see that the user is as expected when doing get_caller_identity(). The access key, again, does log that it was last used a few minutes ago to access S3, but I received the same AccessDenied message when trying any action.

  • Riku_Kobayashi EXPERT
    2 months ago

    By the way, what kind of code are you trying to access? If there is no problem with the IAM authentication information, I think there may be a problem with the way the code is written.

  • Didier_Durand EXPERT
    2 months ago

    Another thing to explore: is the IAM user corresponding to AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in active state from IAM perspective? Seehttps://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html to see when your user last came and if it is active (IAM may deactivate it after some time: I had it for myself recently)

0

Here is a way to troubleshoot the issue

  1. Install AWS CLI
  2. Run this command in your terminal or cmd
aws configure
  1. Enter your IAM user credentials and the default AWS region
  2. Test any of s3 commands in CLI. Eg.
aws s3 ls

If the above command listed the buckets there's no issue with IAM user permissions. It's an issue with the code or the package.

langesh
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content