- Newest
- Most votes
- Most comments
Hello.
What kind of error do you get when you try to upload specifically?
If your S3 is encrypted with a KMS key, you may find the troubleshooting methods in the documentation below useful.
In the case of an S3 bucket encrypted with KMS, you will need "kms:GenerateDataKey" and "kms:Decrypt" in the IAM policy of the IAM user.
https://repost.aws/knowledge-center/s3-access-denied-error-kms
upload failed: D:\test.txt to s3://backup/test2.txt An error occurred (AccessDenied) when calling the PutObject operation: User: arn:aws:iam:: is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:ap-south-1::key/ because no identity-based policy allows the kms:GenerateDataKey action
Thank you for sharing the error message. As stated in the error message, the "kms:GenerateDataKey" action is not allowed for IAM users, so please try attaching the following IAM policy to the IAM user.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "s3:PutObject" ], "Resource": "*", "Effect": "Allow", "Sid": "SamplePolicy" } ] }
From the error you provided, your IAM user doesn't have rights to the kms:GenerateDataKey
You'll need to add rights to your IAM user to use KMS api and check key policy also, that you have rights to use that exact key.
Relevant content
- Accepted Answerasked a month ago
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 9 months ago
could you Verify that you are providing the correct encryption parameters when uploading the file to the encrypted S3 bucket. If server-side encryption is enabled on the bucket, you may need to specify the appropriate encryption option (--sse, --sse-c, --sse-kms, etc.) when uploading the file.
Could you provide more details for a more structured answer, which encryption are you using? SSE-S3? SSE-KMS? Which CLI command are you giving? What's the error you got? Are you specifying the encryption key in the put-object request? Does your user/role have access to KMS?
i am using this command. aws s3 cp test.txt s3://backup/