- Newest
- Most votes
- Most comments
To run aws s3 cp, you need to allow s3:GetObject and s3:PutObject for your IAM User. To run the command aws s3 cp with the --recursive option( if you are copying multiple objects at once), you need permission to s3:GetObject, s3:PutObject, and s3:ListBucket. To run the command aws s3 sync, then you need permission to s3:GetObject, s3:PutObject, and s3:ListBucket. You may need additional permissions for performing copy on versioned objects or to copy those objects with tags. To copy a specific version of an object, you need the permission for s3:GetObjectVersion in addition to s3:GetObject. For copying objects that have object tags, your IAM identity must have s3:GetObjectTagging ( on the source object)and s3:PutObjectTagging permissions ( on the destination bucket)
Hi
You need additional permissions for sync
https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-listobjects-sync/
When you run the aws s3 sync command, Amazon S3 issues the following API calls: ListObjectsV2, CopyObject, GetObject, and PutObject. Also, sync can delete objects as well, so you might need DeleteObject if you use the --delete option
If I can help making the previous answers more accurate, there is a case in which s3:PutObject is not required, which is 'aws s3 cp -' that puts the content of the file onto the standard output, useful for piping the content to another tool, like pg_restore for restoring a database from a dump file.
The other permission that I get an error for and cannot find a trace of it here is S3:HeadObject. I believe s3 cp peeks into s3 object meta-data which requires this permission.
Relevant content
- asked 3 years ago
- asked 2 years ago
AWS OFFICIALUpdated 7 months ago- AWS OFFICIALUpdated 6 months ago
