S3 presigned url access Denied

0

Hi Team,

I have an app IAM user that has S3FullAccess permission

I used the access key and secret access key of my IAM app user to create an s3 resigned URL for getObject, when I copy the generated pre-signed URL on a browser I get an error message :

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>HFDGssffscSDQ4DEF</RequestId>
<HostId>OXsT4/6tYWsdssyo0dxtFa7sdsdsThdFqsdsd4L+9CmiKP2tFyGsdsL8Pr0E0rkDgzHsddsMjdsdsdwc=</HostId>
</Error>

I'm not sure why I have access denied even though my user has the right permissions?

Default encryption (Enabled) = AWS Key Management Service key (SSE-KMS)

any ideas, Thanks

2 個答案
1
已接受的答案

I resolved this by adding those permissions about km key used to encrypt the files to my app-user :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
            ],
            "Resource": "arn:aws:kms:ca-region:12457989948784:key/abcde1111-7b212154-xdxsddxzsdf545sz",
            "Effect": "Allow"
        }
    ]
}
Jess
已回答 2 年前
profile picture
專家
已審閱 2 個月前
  • I'm glad the problem is solved. Thanks for sharing.

1

Do you have an S3 bucket policy that denies access to the target files?
You need to allow s3:GetObject in your IAM policy or S3 bucket policy.

How do I troubleshoot 403 Access Denied errors from Amazon S3? https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/?nc1=h_ls

Limiting presigned URL capabilities https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html#PresignedUrlUploadObject-LimitCapabilities

sugin
已回答 2 年前
  • the issue comes from the KMS key used to encrypt s3 objects: the key policy accepts only the root user as a principal, my app IAM user has all access rights to the KMS key. Should I also add him as principal on the key policy?

    because I'm able to upload and able to decrypt messages from SQS with no problem without modifying the key policy, not sure why doesn't work for pre-signedURL (access denied)?

    Thank you.

  • Thank you for your comment. As a test, I encrypted S3 with the following KMS policy in my environment.

    {
        "Id": "key-consolepolicy",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::xxxxxxxxxxx:root"
                },
                "Action": "kms:*",
                "Resource": "*"
            }
        ]
    }
    

    I then issued a URL from CloudShell with the following command, and was able to access the file. (not root user)

    aws s3 presign s3://xxxxxxxxxxxxxx/testimage.png
    

    Protecting data using server-side encryption https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html

    if you share your objects using a presigned URL, that URL works the same way for both encrypted and unencrypted objects.

    Therefore, it does not seem to be a KMS policy issue. If possible, could you tell me what your S3 bucket policy is?

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南