- Newest
- Most votes
- Most comments
I've also tried to suspend the versioning but still cannot download files.
Hello sa-dem,
Going through the scopedown policy associated, I don't seem to be able to find anything wrong with the policy. You have granted List permissions to your bucket provided the prefix matches the condition statement. Further, you have granted HomeDirectoryObject access for READ/WRITE/DELETE commands. I would say it is a pretty straightforward ScopeDown Policy.
Concerning the Access Denied error for downloads, could you confirm if there are no bucket policies on the S3 Bucket or any Explicit Deny conditions that might block READ or GetObject actions on the bucket?
Also, could you confirm if the IAM Role associated to the AWS Transfer user has sufficient permissions to access the bucket and the objects? If permissions are missing on the IAM Role, you would experience Access Denied from S3 as ScopeDown Policies do not grant permissions. Rather, they assist you to restrict a particular set of permissions. Therefore, permissions specified within a ScopeDown policy should be a subset of permissions present on the IAM Role.
Concerning READ operations, you would need GetObject, GetObjectVersion and GetObjectAcl on both the User's IAM Role and the ScopeDown Policy as your bucket has versioning enabled. Could you confirm if these permissions are present for the User? If not, could you update and test?
I look forward to your update. If you are still experiencing Access Denied errors, please private message me with the resource details and I would be happy to help out.
Thanks,
Sagar
You are totally right, on the transfer aws role I only had s3:*object permission.
Relevant content
- Accepted Answerasked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago