Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: xxxxxxxxxxxxx)

Question

I am trying to access my s3 bucket using a application deployed on my tomcat running on ec2.

I could see lots of posts related to this, but look like most of them complaint about not having proper access. I have proper access to all buckets, I am able to upload the file from another application using different application like jenkins s3 plugin without any issues. I am clueless why this should happen only for a java web application deployed on tomcat. I have confirmed below things.

1. The ec2 instance was created with an IAM role.
2. The IAM role has write access to bucket. The puppet scripts is able to write to bucket.
3. Tried with other application to check the IAM role and it is working fine with out any issues.

As per my understanding if I do not specify any credentials while creating the S3 bucket client(AmazonS3Client ),it will take the IAM role authentication as default.

This is a sample function which I wrote to test the permission.

public boolean checkWritePermission(String bucketName) {
    AmazonS3Client amazonS3Client=new AmazonS3Client();
    LOG.info("Checking bucket write permission.....");
    boolean hasWritePermissions = false;
    final ObjectMetadata metadata = new ObjectMetadata();
    metadata.setContentLength(0);
    // Create empty content
    final InputStream emptyContent = new ByteArrayInputStream(new byte[0]);
    // Create a PutObjectRequest with test object
    final PutObjectRequest putObjectRequest = new PutObjectRequest(bucketName,
            "TestDummy.txt", emptyContent, metadata);
    try {
        if (amazonS3Client.putObject(putObjectRequest) != null) {
            LOG.info("Permissions validated!");
            // User has write permissions, TestPassed.
            hasWritePermissions = true;

        }
    }
    catch (AmazonClientException s3Ex) {
        LOG.warn("Write permissions not available!", s3Ex.getMessage());
        LOG.error("Write permissions not available!", s3Ex);
    }
    return hasWritePermissions;
}

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: xxxxxxxxxxxxxx).

Answer 1

Not sure if you have solved this issue yet; however, if you are using custom KMS keys on your bucket and the file you are trying to reach is encrypted with the custom key then this error will also be thrown.

This issue is sometimes hidden by the fact you can still list objects inside your S3 bucket. Make sure your IAM policy includes kms permissions to decrypt.