Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

S3 Batch Operation fail with error "Anonymous users cannot copy objects. Please authenticate"

0

I have an IAM role with full access to my s3 given the permission

"s3:*"

I am trying to use the s3 batch operation to copy some files from my buckets back to them while adding encryption to the files. So first I have added the batch operations trust relationship below into my IAM role in order to run my batch operation jobs and triggered some jobs for different buckets.

{
            "Effect": "Allow",
            "Principal": {
                "Service": "batchoperations.s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }

For my surprise, although I had no issues with most of my buckets, for a few buckets the batch operation failed. when I checked the report containing the error, I got this for the objects that could not be copied

Anonymous users cannot copy objects.  Please authenticate. (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied

Here are some additional details about my setup:

  • All buckets have ACLs disabled.
  • All public access is blocked.
  • The IAM role is used to trigger the batch operation jobs and it works for some buckets but not for others.
  • Oleksii Bebych EXPERT
    2 years ago

    please accept the answer if it was helpful

Topics
StorageSecurity, Identity, & Compliance
Tags
EncryptionAWS Identity and Access ManagementAmazon Simple Storage Service
Language
English
asked 2 years ago668 views
1 Answer
0

If you are adding encryption to the files, ensure that the IAM role has the necessary permissions to use the encryption key. If you are using a Customer Managed Key (CMK) in KMS, you need to grant the role permissions to use the key:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_IAM_ROLE"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:REGION:YOUR_ACCOUNT_ID:key/YOUR_KMS_KEY_ID"
        }
    ]
}
EXPERT
answered 2 years ago
  • Giovanni
    2 years ago

    I am only adding AES-256 encryption, therefore I believe there is no need to add any extra permissions, since it did work for some buckets but not for others.

  • Oleksii Bebych EXPERT
    2 years ago

    Access to some buckets can be limited somewhere higher for example Service Control Policy on the Organizational level

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content