Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: xxxxxxxxxxxxx)

I am trying to access my s3 bucket using a application deployed on my tomcat running on ec2.

I could see lots of posts related to this, but look like most of them complaint about not having proper access. I have proper access to all buckets, I am able to upload the file from another application using different application like jenkins s3 plugin without any issues. I am clueless why this should happen only for a java web application deployed on tomcat. I have confirmed below things.

  1. The ec2 instance was created with an IAM role.
  2. The IAM role has write access to bucket. The puppet scripts is able to write to bucket.
  3. Tried with other application to check the IAM role and it is working fine with out any issues.

As per my understanding if I do not specify any credentials while creating the S3 bucket client(AmazonS3Client ),it will take the IAM role authentication as default.

This is a sample function which I wrote to test the permission.

public boolean checkWritePermission(String bucketName) {
    AmazonS3Client amazonS3Client=new AmazonS3Client();
    LOG.info("Checking bucket write permission.....");
    boolean hasWritePermissions = false;
    final ObjectMetadata metadata = new ObjectMetadata();
    metadata.setContentLength(0);
    // Create empty content
    final InputStream emptyContent = new ByteArrayInputStream(new byte[0]);
    // Create a PutObjectRequest with test object
    final PutObjectRequest putObjectRequest = new PutObjectRequest(bucketName,
            "TestDummy.txt", emptyContent, metadata);
    try {
        if (amazonS3Client.putObject(putObjectRequest) != null) {
            LOG.info("Permissions validated!");
            // User has write permissions, TestPassed.
            hasWritePermissions = true;

        }
    }
    catch (AmazonClientException s3Ex) {
        LOG.warn("Write permissions not available!", s3Ex.getMessage());
        LOG.error("Write permissions not available!", s3Ex);
    }
    return hasWritePermissions;
}

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: xxxxxxxxxxxxxx).

like image 237
Harry Avatar asked Sep 26 '16 11:09

Harry


People also ask

Why is my S3 bucket Access Denied?

The "403 Access Denied" error can occur due to the following reasons: Your AWS Identity and Access Management (IAM) user or role doesn't have permissions for both s3:GetBucketPolicy and s3:PutBucketPolicy. The bucket policy denies your IAM identity permission for s3:GetBucketPolicy and s3:PutBucketPolicy.

What is status code 403 in AWS?

Short description. An HTTP 403 response code means that a client is forbidden from accessing a valid URL. The server understands the request, but it can't fulfill the request because of client-side issues.

Why is S3 object URL Access Denied?

The URL to the Amazon S3 object doesn't include your user credentials, so the request to the object is anonymous. Amazon S3 returns an Access Denied error for anonymous requests to objects that aren't public.


1 Answers

Not sure if you have solved this issue yet; however, if you are using custom KMS keys on your bucket and the file you are trying to reach is encrypted with the custom key then this error will also be thrown.

This issue is sometimes hidden by the fact you can still list objects inside your S3 bucket. Make sure your IAM policy includes kms permissions to decrypt.

like image 174
pkarfs Avatar answered Oct 13 '22 01:10

pkarfs