Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
S3 bucket Question
I was requested access to S3 bucket by SP , but when I tried to access thru my dev I got below error team confirmed that they provide access using SP but I got error , can I anyone help
dev-dsk-mohezz-1b-a9071b49 % brazil-runtime-exec python EC2_UDHCP.py
Traceback (most recent call last):
File "EC2_UDHCP.py", line 13, in <module>
download_file_from_s3(s3_download_conn, "udhcp-backups-prod-iad", "DHCP_DATA_HOST_IAD7_BACKUP/2024-04-19-00-08-29/")
File "/local/home/mohezz/workspace/DCN_CodeRepository/env/DCN_CodeRepository-1.0/runtime/lib/python3.8/site-packages/dcn_code_repository/helpers/s3_helpers.py", line 94, in download_file_from_s3
bucket = s3_download_conn.get_bucket(bucket_name)
File "/local/home/mohezz/workspace/DCN_CodeRepository/env/DCN_CodeRepository-1.0/runtime/lib/python3.8/site-packages/boto/s3/connection.py", line 509, in get_bucket
return self.head_bucket(bucket_name, headers=headers)
File "/local/home/mohezz/workspace/DCN_CodeRepository/env/DCN_CodeRepository-1.0/runtime/lib/python3.8/site-packages/boto/s3/connection.py", line 542, in head_bucket
raise err
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
- Topics
- Storage
- Language
- English
- Newest
- Most votes
- Most comments
Hello.
Could you also share the code contents of "EC2_UDHCP.py"?
Looking at the error message alone, I'm guessing that you're probably trying to download a file from an S3 bucket.
Since you are getting a 403 error, please check whether the IAM user has an IAM policy to access the S3 bucket or object specified in the code.
Also, if the S3 bucket name or object path is incorrect, a 403 error will occur, so please check that the S3 bucket name and object path are also correct.
many thanks , below is code I used as you assumed just to download file from S3 from Ec2 team below is all details
from dcn_code_repository.helpers.s3_helpers import init_s3_connections, download_file_from_s3, write_results_to_localfile
if __name__ == '__main__':
(s3_upload_conn, s3_download_conn) = init_s3_connections()
download_file_from_s3(s3_download_conn, "udhcp-backups-prod-iad", "DHCP_DATA_HOST_IAD7_BACKUP/2024-04-19-00-08-29/")
------
I informed that permission has granted we can open S3 access. by editing lpt to add an role with trust relation like { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "oakridge.ec2.aws.internal" }, "Action": "sts:AssumeRole" } ]
but still I got issue , this file name " s3://udhcp-backups-prod-iad/DHCP_DATA_HOST_IAD7_BACKUP/2024-04-19-00-08-29/"
D128835573/
The 403 Forbidden error usually means your request reached the S3 bucket, but you’re not authorized to access it — even if the team says permissions were granted via Service Principal (SP). Here's what to double-check:
Things to Verify: Correct AWS Credentials
Make sure your AWS credentials (access key/secret key or IAM role) are the same identity the SP policy was granted to.
Region Mismatch
If your client is set to a different region than the bucket, access may fail silently with a 403. Double-check the region config.
Bucket Policy or ACL Restriction
The bucket may have a restrictive policy (e.g. "Deny" for unknown users or IPs) even if you have IAM permissions.
Check SP Permissions in IAM
Have the team confirm that the SP granted at least s3:ListBucket and s3:GetObject on the bucket and object prefix.
Legacy SDK (boto)
It looks like you're using the older boto library. If possible, try switching to boto3, which is more up-to-date and handles permissions better.
Suggestion: Ask the team to verify:
Which principal/role the SP access was granted to
Whether it includes both bucket-level (s3:ListBucket) and object-level (s3:GetObject) permissions
That there are no "Deny" policies attached to the bucket or org SCPs (Service Control Policies) blocking access
Let me know if you want help upgrading to boto3 or validating your IAM role from the CLI!
Relevant content
- asked a year ago
