S3 Access Denied on Delete

0

As we are trying to delete an object from S3 using SDK getting 403 error for DeleteObject below is the Request URL "https://s3-bucketname-1.amazonaws.com/user/mcir/6c81a0c9-5ade-4f8f-9ab5-8a0ed6032193/sonar_email_unsubscribe_before.png?x-id=DeleteObject " Also the Put:Object works properly and the role used has s3 full access, the S3 has static website enabled and we using cloudfront also we have update the s3 policy also with the role ARN to Delete

1 Answer
0

How are bucket ACLs and object ACLs configured?
Perhaps the following documents may be helpful in troubleshooting.
https://repost.aws/knowledge-center/s3-troubleshoot-403

profile picture
EXPERT
answered 10 months ago
  • Bucket owner (your AWS account) Objects: List, Write | Bucket ACL: Bucket ACL

  • Other areas to check are that the bucket policy may not have been set properly or that S3 object locks may have been set and the deletion may have failed.

  • @Riku_Kobayashi object lock is disabled and the Below is the bucket policy { "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "AllowCloudFrontServicePrincipal", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:", "Resource": "arn:aws:s3:::s3-bucket-name/", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::123456789:distribution/E28ZKDUMCHA3V0" } } }, { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789:role/test_s3_restricted_access" }, "Action": [ "s3:DeleteObjectVersion", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::s3-bucket-name/*", "arn:aws:s3:::s3-bucket-name" ] } ] }

  • When specifying an IAM role in Principal, you must also include the ARN of the assumed-role issued by STS, as shown below.

    "arn:aws:sts::AccountID:assumed-role/role_name/session_name"
    

    The ARN can be checked with the following command.

    aws sts get-caller-identity
    

    When running on EC2, the session ID is output as an instance ID as shown below. I would set this ARN in the bucket policy so that it can be removed from that EC2.

    "Arn": "arn:aws:sts::123456789:assumed-role/EC2DefaultRole/i-05xxxxxxxxxx"
    

    In other words, if you are deleting from EC2, the bucket policy would be as follows.

    {
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
    {
    "Sid": "AllowCloudFrontServicePrincipal",
    "Effect": "Allow",
    "Principal": {
    "Service": "cloudfront.amazonaws.com"
    },
    "Action": "s3:",
    "Resource": "arn:aws:s3:::s3-bucket-name/",
    "Condition": {
    "StringEquals": {
    "AWS:SourceArn": "arn:aws:cloudfront::123456789:distribution/E28ZKDUMCHA3V0"
    }
    }
    },
    {
    "Sid": "Statement1",
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:sts::123456789:assumed-role/EC2DefaultRole/i-05xxxxxxxxxx"
    },
    "Action": [
    "s3:DeleteObjectVersion",
    "s3:DeleteObject"
    ],
    "Resource": [
    "arn:aws:s3:::s3-bucket-name/*",
    "arn:aws:s3:::s3-bucket-name"
    ]
    }
    ]
    }
    
  • we are trying to delete it from the api and put:object worked properly only issue is while deleting we are facing the issue

    We have uploaded the file successfully https://s3-bucket-name.amazonaws.com/user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/MicrosoftTeams-image%2813%29.png?x-id=PutObject

    https://s3-bucket-name.amazonaws.com/user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/sonar_email_unsubscribe_before.png?x-id=PutObject

    https://s3-bucket-name.amazonaws.com/user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/MicrosoftTeams-image%2816%29.png?x-id=PutObject

    but deleting is getting access Denied

    Delete:

    Endpoint - https://s3-bucket-name.amazonaws.com/?delete=&x-id=DeleteObjects

    Method - POST

    Payload -

    <?xml version="1.0" encoding="UTF-8"?><Delete xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Object><Key>user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/sonar_email_unsubscribe_before.png</Key></Object><Object><Key>user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/MicrosoftTeams-image(16).png</Key></Object></Delete>

    Response -

    <?xml version="1.0" encoding="UTF-8"?>

    <DeleteResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Error><Key>user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/sonar_email_unsubscribe_before.png</Key><Code>AccessDenied</Code><Message>Access Denied</Message></Error><Error><Key>user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/MicrosoftTeams-image(16).png</Key></Object></Delete>

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions