Amazon S3 copyObject permission

Question

I'v got user with all permissions.

{   "Statement": [     {       "Effect": "Allow",       "Action": "*",       "Resource": "*"     }   ] } 

I'm using aws-sdk-php-2 to put and copy objects in bucket.

http://docs.aws.amazon.com/aws-sdk-php-2/latest/class-Aws.S3.S3Client.html

Put code works perfect

                $client->putObject(array(                 'Bucket'     => 'kiosk',                 'Key'        => 'test/orders/test.csv',                 'SourceFile' => $sourcePath,             )); 

After check if object created on S3 via https://console.aws.amazon.com/s3 I'm executing next script.

        $result = $client->copyObject(array(         'Bucket' => 'kiosk',         'CopySource' => 'test/orders/test.csv',         'Key' => 'test/test.csv',     )); 

And I'm getting fatal error:

Fatal error: Uncaught Aws\S3\Exception\S3Exception: AWS Error Code: AllAccessDisabled, Status Code: 403, AWS Request ID: XXX, AWS Error Type: client, AWS Error Message: All access to this object has been disabled, User-Agent: aws-sdk-php2/2.2.1 Guzzle/3.3.1 curl/7.19.7 PHP/5.4.13 thrown in phar:///usr/share/pear/AWSSDKforPHP/aws.phar/src/Aws/Common/Exception/NamespaceExceptionFactory.php on line 89 

After upload file manually console.aws.amazon.com/s3 I see different error when trying to copy:

Fatal error: Uncaught Aws\S3\Exception\AccessDeniedException: AWS Error Code: AccessDenied, Status Code: 403, AWS Request ID: XXX, AWS Error Type: client, AWS Error Message: Access Denied, User-Agent: aws-sdk-php2/2.2.1 Guzzle/3.3.1 curl/7.19.7 PHP/5.4.13 thrown in phar:///usr/share/pear/AWSSDKforPHP/aws.phar/src/Aws/Common/Exception/NamespaceExceptionFactory.php on line 89 

I also try to set permissions on file and folder via console.aws.amazon.com/s3: Grantee: Everyone, Open/Download and View Permission and Edit Permission

But still same error.

Answer 1

I know this is an old question, but I ran into the same issue recently while doing work on a legacy project.

$this->client->copyObject([     'Bucket'        => $this->bucket,     'CopySource'    => $file,     'Key'           => str_replace($source, $destination, $file), ]); 

All of the my other S3 calls worked except for copyObject continued to throw an ACCESS DENIED error. After some digging, I finally figured out why.

I was passing just the key and making the assumption that the bucket being passed was what both the source and destination would use. Turns out that is an incorrect assumption. The source must have the bucket name prefixed.

Here was my solution:

$this->client->copyObject([     'Bucket'        => $this->bucket,     // Added the bucket name to the copy source     'CopySource'    => $this->bucket.'/'.$file,     'Key'           => str_replace($source, $destination, $file), ]); 

It says "Access Denied" because it thinks the first part of your key/folder is actually the name of the bucket which either doesn't exist or you really don't have access to.

Hope that helps a few people out!

Answer 2

Found out what the issue is here; being an AWS newbie I struggled here for a bit until I realized that each policy for the users you set needs to clearly allow the service you're using.

In this case I hadn't set the user to be allowed into S3.

Goto IAM then goto Users and click on the particular user that has the credentials you're using. From there goto Permissions tab, then click on Attach User Policy and find the S3 policy under select policy template. This should fix your problem.

Hope that helps!