s3fs: AWS Message: Access Denied Ubuntu 11.10

Question

i installe s3fs as it is described here http://code.google.com/p/s3fs/wiki/InstallationNotes

then in i create user bucket_user

then put his accessKeyId:secretAccessKey in /etc/passwd-s3fs

them is S3 i create a bucket super_bucket

and set its policy:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AddCanned",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::234234234234:user/bucket_user"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::super_bucket/*"
        }
    ]
}

then on my server /usr/bin/s3fs super_bucket /mnt/s3/

and recieve answer:

s3fs: CURLE_HTTP_RETURNED_ERROR

s3fs: HTTP Error Code: 403

s3fs: AWS Error Code: AccessDenied

s3fs: AWS Message: Access Denied

Version of s3fs being used (s3fs --version): 1.61

Version of fuse being used (pkg-config --modversion fuse): 2.8.4

System information (uname -a): Linux Ubuntu-1110-oneiric-64-minimal 3.0.0-14-server #23-Ubuntu SMP Mon Nov 21 20:49:05 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

Distro (cat /etc/issue): Ubuntu 11.10 \n \l

s3fs syslog messages (grep s3fs /var/log/syslog): empty

so i start from the begining

on server

nano ~/.passwd-s3fs

cmd+v accessKeyId:secretAccessKey

chmod 600 ~/.passwd-s3fs

in bucket policy

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::super_bucket/*",
                "arn:aws:s3:::super_bucket"
            ]
        }
    ]
}

"save"

/usr/bin/s3fs super_bucket /mnt/s3/

and again receive

s3fs: AWS Message: Access Denied

Answer 1

and no one said that i need to set User Policy in AWS IAM

Answer 2

Update

Analysis

Apparently s3fs has issues regarding IAM support up to and including the most recent stable version 1.61 you are using, please review IAM user permissions issue for details, specifically comment 4:

Evidently there is a call to [ListAllMyBuckets()] that is required to determine if the bucket requested exists before attempting to mount.

Now, ListAllMyBuckets() is an operation on the service rather than a bucket or an object, which are the only entities your Resource statement currently targets, thus using ListAllMyBuckets() is effectively denied by your current policy.

Solution

As outlined in comment 4 as well, you must add an additional policy fragment to address this requirement for your version of s3fs accordingly:

"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:ListAllMyBuckets",
        "Resource": "arn:aws:s3:::*"
    }
]

Alternatively you could build s3fs version 1.61 from source after applying the patch provided in comment 9, which is supposedly addressing the issue (I haven't tested the patch myself though). Obviously a later version might include a fix for this as well, see comment 11 ff.

Good luck!

---

Given the intended functionality (i.e. Mount a bucket as a local file system read/write), s3fs presumably requires access to the bucket itself as well, not only the objects contained therein, which is handled separately - try to replace your Resource statement with the following:

"Resource": [
    "arn:aws:s3:::super_bucket",
    "arn:aws:s3:::super_bucket/*",
]

The first resource targets the bucket, while the latter targets the object contained therein.