Cannot list buckets by users other than root user


Initially, I didn't know the best practice of not creating IAM user. As such I created access key for root user and created s3 buckets as root user and everything worked fine. Later on as suggested by best practices I created an IAM user and attached it with both policies: AdministratorAccess and AmazonS3FullAccess. However, I am unable to list the buckets as the newly created user (say admin). With root I have no problem listing buckets or doing any other action. I ran the following command to list attached policies to the admin user

aws iam list-attached-user-policies --user-name admin --profile root


    "AttachedPolicies": [
            "PolicyName": "AdministratorAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
            "PolicyName": "AmazonS3FullAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
            "PolicyName": "AWSLambda_FullAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AWSLambda_FullAccess"

1 Answer

Hi Saurav,

When accessing objects in Amazon S3 there are two possible policies that can affect the outcome

  1. IAM User/Role Access Policies. It seems your admin user has enough permissions from what you attach
  2. Amazon S3 Bucket Policies. The bucket can allow or block permissions. If the IAM User has permissions to access the bucket, but the bucket policy has an explicit deny, then the overall action is to DENY that access. In your case I would check the Amazon S3 Bucket policies in order to see if it has a policy blocking it's use.

Hope this helps!

answered 5 months ago
  • I have added the bucket policy like so and unable to list the buckets still. But do I need a bucket policy even to list all the buckets? { "Version": "2012-10-17", "Statement": [ { "Sid": "AddPerm", "Effect": "Allow", "Principal": "", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::********/" }, { "Sid": "statement2", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::22026****:user/admin" }, "Action": "s3:", "Resource": "arn:aws:s3:::abcdxxxxx/" }, { "Sid": "statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::22026******:user/admin" }, "Action": "s3:*", "Resource": "arn:aws:s3:::abcdxxxxxxxx" } ] }

  • If there isn't an explicit DENY on the policy, then it shouldn't be a problem. What is the error you are actually getting? The easiest route may be to hire AWS Support Developer for a month (10 USD) and ask the question to our support team. The most likely source of problems would be the IAM Policy you are using, although it seems okay from what you have shared so far. There are more unlikely sources for the problem (IAM Boundaries, Organization SCPs or others) but I think it's something less obscure than that. Maybe you are not logging in to the correct IAM User or some other problem. Sharing the specific error would help troubleshoot

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions