1 Answer
- Newest
- Most votes
- Most comments
0
How are bucket ACLs and object ACLs configured?
Perhaps the following documents may be helpful in troubleshooting.
https://repost.aws/knowledge-center/s3-troubleshoot-403
Relevant content
- asked 8 months ago
- Accepted Answerasked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Bucket owner (your AWS account) Objects: List, Write | Bucket ACL: Bucket ACL
Other areas to check are that the bucket policy may not have been set properly or that S3 object locks may have been set and the deletion may have failed.
@Riku_Kobayashi object lock is disabled and the Below is the bucket policy { "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "AllowCloudFrontServicePrincipal", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:", "Resource": "arn:aws:s3:::s3-bucket-name/", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::123456789:distribution/E28ZKDUMCHA3V0" } } }, { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789:role/test_s3_restricted_access" }, "Action": [ "s3:DeleteObjectVersion", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::s3-bucket-name/*", "arn:aws:s3:::s3-bucket-name" ] } ] }
When specifying an IAM role in Principal, you must also include the ARN of the assumed-role issued by STS, as shown below.
The ARN can be checked with the following command.
When running on EC2, the session ID is output as an instance ID as shown below. I would set this ARN in the bucket policy so that it can be removed from that EC2.
In other words, if you are deleting from EC2, the bucket policy would be as follows.
we are trying to delete it from the api and put:object worked properly only issue is while deleting we are facing the issue
We have uploaded the file successfully https://s3-bucket-name.amazonaws.com/user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/MicrosoftTeams-image%2813%29.png?x-id=PutObject
https://s3-bucket-name.amazonaws.com/user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/sonar_email_unsubscribe_before.png?x-id=PutObject
https://s3-bucket-name.amazonaws.com/user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/MicrosoftTeams-image%2816%29.png?x-id=PutObject
but deleting is getting access Denied
Delete:
Endpoint - https://s3-bucket-name.amazonaws.com/?delete=&x-id=DeleteObjects
Method - POST
Payload -
<?xml version="1.0" encoding="UTF-8"?><Delete xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Object><Key>user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/sonar_email_unsubscribe_before.png</Key></Object><Object><Key>user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/MicrosoftTeams-image(16).png</Key></Object></Delete>Response -
<?xml version="1.0" encoding="UTF-8"?><DeleteResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Error><Key>user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/sonar_email_unsubscribe_before.png</Key><Code>AccessDenied</Code><Message>Access Denied</Message></Error><Error><Key>user/mcir/9764b377-5170-4483-98ba-9aa520bcfbc4/MicrosoftTeams-image(16).png</Key></Object></Delete>