Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Amazon S3 copyObject permission

I'v got user with all permissions.

{   "Statement": [     {       "Effect": "Allow",       "Action": "*",       "Resource": "*"     }   ] } 

I'm using aws-sdk-php-2 to put and copy objects in bucket.

http://docs.aws.amazon.com/aws-sdk-php-2/latest/class-Aws.S3.S3Client.html

Put code works perfect

                $client->putObject(array(                 'Bucket'     => 'kiosk',                 'Key'        => 'test/orders/test.csv',                 'SourceFile' => $sourcePath,             )); 

After check if object created on S3 via https://console.aws.amazon.com/s3 I'm executing next script.

        $result = $client->copyObject(array(         'Bucket' => 'kiosk',         'CopySource' => 'test/orders/test.csv',         'Key' => 'test/test.csv',     )); 

And I'm getting fatal error:

Fatal error: Uncaught Aws\S3\Exception\S3Exception: AWS Error Code: AllAccessDisabled, Status Code: 403, AWS Request ID: XXX, AWS Error Type: client, AWS Error Message: All access to this object has been disabled, User-Agent: aws-sdk-php2/2.2.1 Guzzle/3.3.1 curl/7.19.7 PHP/5.4.13 thrown in phar:///usr/share/pear/AWSSDKforPHP/aws.phar/src/Aws/Common/Exception/NamespaceExceptionFactory.php on line 89 

After upload file manually console.aws.amazon.com/s3 I see different error when trying to copy:

Fatal error: Uncaught Aws\S3\Exception\AccessDeniedException: AWS Error Code: AccessDenied, Status Code: 403, AWS Request ID: XXX, AWS Error Type: client, AWS Error Message: Access Denied, User-Agent: aws-sdk-php2/2.2.1 Guzzle/3.3.1 curl/7.19.7 PHP/5.4.13 thrown in phar:///usr/share/pear/AWSSDKforPHP/aws.phar/src/Aws/Common/Exception/NamespaceExceptionFactory.php on line 89 

I also try to set permissions on file and folder via console.aws.amazon.com/s3: Grantee: Everyone, Open/Download and View Permission and Edit Permission

But still same error.

like image 919
jwachol Avatar asked Jun 03 '13 15:06

jwachol


People also ask

What permissions are needed for s3 copy?

To run the command aws s3 cp with the --recursive option, you need permission to s3:GetObject, s3:PutObject, and s3:ListBucket. To run the command aws s3 sync, then you need permission to s3:GetObject, s3:PutObject, and s3:ListBucket.

How do I give permission to s3 bucket?

Open the Amazon S3 console at https://console.aws.amazon.com/s3/ . Select the bucket that you want AWS Config to use to deliver configuration items, and then choose Properties. Choose Permissions. Choose Edit Bucket Policy.

Does s3 preserve file permissions?

S3 is not a standard Linux file system and thus cannot preserve Linux file permissions.


2 Answers

I know this is an old question, but I ran into the same issue recently while doing work on a legacy project.

$this->client->copyObject([     'Bucket'        => $this->bucket,     'CopySource'    => $file,     'Key'           => str_replace($source, $destination, $file), ]); 

All of the my other S3 calls worked except for copyObject continued to throw an ACCESS DENIED error. After some digging, I finally figured out why.

AWS v2 SDK CopySource Documentation

I was passing just the key and making the assumption that the bucket being passed was what both the source and destination would use. Turns out that is an incorrect assumption. The source must have the bucket name prefixed.

Here was my solution:

$this->client->copyObject([     'Bucket'        => $this->bucket,     // Added the bucket name to the copy source     'CopySource'    => $this->bucket.'/'.$file,     'Key'           => str_replace($source, $destination, $file), ]); 

It says "Access Denied" because it thinks the first part of your key/folder is actually the name of the bucket which either doesn't exist or you really don't have access to.

Hope that helps a few people out!

like image 154
Jeremy Harris Avatar answered Sep 22 '22 00:09

Jeremy Harris


Found out what the issue is here; being an AWS newbie I struggled here for a bit until I realized that each policy for the users you set needs to clearly allow the service you're using.

In this case I hadn't set the user to be allowed into S3.

Goto IAM then goto Users and click on the particular user that has the credentials you're using. From there goto Permissions tab, then click on Attach User Policy and find the S3 policy under select policy template. This should fix your problem.

Hope that helps!

like image 32
Petrogad Avatar answered Sep 18 '22 00:09

Petrogad