Unable to list s3 buckets using IAM user with AdministratorAccess and AmazonS3FullAccess

0

Hello Folks,

I created an IAM user as per best practice and granted this user the following policies:

  1. AdministratorAccess { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
  2. AmazonS3FullAccess { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", "s3-object-lambda:*" ], "Resource": "*" } ] }

And configured the AWS CLI to use the Access keys for the IAM user. When trying to list all the buckets on the account using the IAM user, I am getting the following error: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Don't understand why it's returning an AccessDenied error as the IAM user has the necessary permission to be able to run any action on any resource. Would appreciate some help/guidance on this. Thank you!

2 個答案
3
已接受的答案

There could be a mismatch somewhere, run aws configure list to show the actual credentials that you are using in the AWS CLI right now, and verify that the (partially obscured) access_key and secret_key are those that you expect to be using.

profile picture
專家
Steve_M
已回答 1 年前
profile picture
專家
已審閱 4 個月前
  • Thank you for your answer on this. I ran: aws configure list and the access_key and secret_key are what I'm expecting the CLI to use. When I run: aws s3 ls (using the root accounts' access key), the buckets are returned without an issue. Don't understand why I'm not able to do the same with the IAM User with admin permissions.

  • As the root user, aws iam list-attached-user-policies --user-name [the_iam_user] and confirm it's definitely got "PolicyName": "AdministratorAccess" and "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess".

    And also as the root user, aws iam list-access-keys --user-name [the_iam_user] the AccessKeyId is definitely what you expect it to be, and its status is Active ?

  • You were right on the money. After running aws iam list-attached-user-policies --user-name [the_iam_user], I noticed AdministratorAccess was not one of the policies attached to the IAM user. I was attaching the policies from a group, for some reason the user didn't inherit the permissions of the group. I added the policy directly to the IAM user and that resolved the issue. Thanks a lot for your help.

1

Run the following command to make sure you are the principle you think you are.

aws sts get-caller-identity

If that is correct, check to see if there is a bucket policy on the bucket that might be denying your request.

profile pictureAWS
專家
kentrad
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南