s3 no sign request didn't work


I use aws s3 --no-sign-request --region us-west-2 ls s3://aws-cloudtrail-logs-01-*******, An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied. but aws s3 ls working. why?

2 Answers

AWS has the ability to generate a policy based on CloudTrail logs, which you obviously are using. See the following documentation on how to use that. https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html Hope this helps.

(Should have posted this as an answer. Sorry.)

answered 3 years ago

Do you have the bucket configured for public read access? The --no-sign-request is doing just that, not using credentials to sign the request. This means that the bucket and/or its objects need to be configured to allow public access. There are a number of ways to do this as described in this AWS Support post How can I grant public read access to some objects in my Amazon S3 bucket?.

I must add that AWS strongly discourages making buckets public except in some specific use-cases such as setting permissions for website access.

For your example you would need to

  1. Disable block public access settings for your bucket.
  2. Add a bucket policy like:
      "Principal": "*",
      "Principal": "*",

Note that s3:ListBucket is the IAM permission needed to call the S3 API function ListObjectsV2

This will allow listing the contents of the bucket.

$ aws s3 ls s3://DOC-EXAMPLE-BUCKET

and reading all objects from the bucket:

$ aws s3 cp s3://DOC-EXAMPLE-BUCKET/someobject ./someobject
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions