com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied

Question

Here's my Java code:

        AmazonS3 conn = new AmazonS3Client();
        AmazonS3URI uri = new AmazonS3URI(s3uri);
        ObjectListing objects = conn.listObjects(uri.getBucket(), uri.getKey());

A very simple task, I try to use AmazonS3 Java client to access S3, but this line conn.listObjects keeps failing and gave me the following exception:

Exception in thread "main" com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: XXXXXXXX), S3 Extended Request ID: xxxxxxxxx
    at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1389)
    at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:902)
    at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:607)
    at com.amazonaws.http.AmazonHttpClient.doExecute(AmazonHttpClient.java:376)
    at com.amazonaws.http.AmazonHttpClient.executeWithTimer(AmazonHttpClient.java:338)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:287)
    at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3826)
    at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3778)
    at com.amazonaws.services.s3.AmazonS3Client.listObjects(AmazonS3Client.java:610)
    at com.amazonaws.services.s3.AmazonS3Client.listObjects(AmazonS3Client.java:588)

1. A very obvious error code: 403 which denotes my aws credentials are wrong, however, this is exactly the same credentials that my coworkers are using to access the same s3 bucket, to rule out the possibility that I have a typo somewhere, I literally deleted my previous one and used the same one that my coworkers sent to me and put them under ~/.aws/

2. I also researched other possible reasons, one could be that this S3 bucket doesn't give the permissions to my IAM role, apparently that is not be my case either.

Any help please? What could be the culprit?

Answer 1

The AWS SDK for Java has a DefaultAWSCredentialsProviderChain that checks credentials in this order:

• Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (RECOMMENDED since they are recognized by all the AWS SDKs and CLI except for .NET), or AWS_ACCESS_KEY and AWS_SECRET_KEY (only recognized by Java SDK)
• Java System Properties - aws.accessKeyId and aws.secretKey
• Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI
• Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable is set and security manager has permission to access the variable
• Instance profile credentials delivered through the Amazon EC2 metadata service

It is possible that your credentials are being set prior to your desired configuration file being consulted.

One way to check which credentials are being used is to use the aws iam get-user command to show the current user. You could also try that in Java with the GetUser() call.