- Newest
- Most votes
- Most comments
AWS has the ability to generate a policy based on CloudTrail logs, which you obviously are using. See the following documentation on how to use that. https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html Hope this helps.
(Should have posted this as an answer. Sorry.)
Do you have the bucket configured for public read access? The --no-sign-request is doing just that, not using credentials to sign the request. This means that the bucket and/or its objects need to be configured to allow public access. There are a number of ways to do this as described in this AWS Support post How can I grant public read access to some objects in my Amazon S3 bucket?.
I must add that AWS strongly discourages making buckets public except in some specific use-cases such as setting permissions for website access.
For your example you would need to
- Disable block public access settings for your bucket.
- Add a bucket policy like:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"PublicObjectRead",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"]
},
{
"Sid":"PublicBucketList",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:ListBucket"],
"Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET"]
}
]
}
Note that s3:ListBucket is the IAM permission needed to call the S3 API function ListObjectsV2
This will allow listing the contents of the bucket.
$ aws s3 ls s3://DOC-EXAMPLE-BUCKET
and reading all objects from the bucket:
$ aws s3 cp s3://DOC-EXAMPLE-BUCKET/someobject ./someobject
Relevant content
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago