I'm trying to read an existing file from my s3 bucket, but I keep getting "Access Denied" with no explanation or instructions on what to do about it. Here is the code I am using:
'use strict' var AWS = require('aws-sdk') const options = { apiVersion: '2006-03-01', params: { Bucket: process.env['IMAGINATOR_BUCKET'] }, accessKeyId: process.env['IMAGINATOR_AWS_ACCESS_KEY_ID'], secretAccessKey: process.env['IMAGINATOR_AWS_SECRET_ACCESS_KEY'], signatureVersion: 'v4' } console.log('options', options) var s3 = new AWS.S3(options) module.exports = exports = { get (name, cb) { const params = { Key: name + '.json' } console.log('get params', params) return s3.getObject(params, cb) }, set (name, body, cb) { const params = { Key: name + '.json', Body: body } console.log('set params', params) return s3.putObject(params, cb) } }
And this is what I'm getting as output when using the get
method and logging the error provided in the callback (with sensitive information censored out):
options { apiVersion: '2006-03-01', params: { Bucket: CENSORED_BUT_CORRECT }, accessKeyId: CENSORED_BUT_CORRECT, secretAccessKey: CENSORED_BUT_CORRECT, signatureVersion: 'v4' } get params { Key: 'whitelist.json' } err { [AccessDenied: Access Denied] message: 'Access Denied', code: 'AccessDenied', region: null, time: Wed Sep 21 2016 11:17:50 GMT-0400 (EDT), requestId: CENSORED, extendedRequestId: CENSORED, cfId: undefined, statusCode: 403, retryable: false, retryDelay: 20.084538962692022 } /Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:31 throw err; ^ AccessDenied: Access Denied at Request.extractError (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/services/s3.js:538:35) at Request.callListeners (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:105:20) at Request.emit (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:77:10) at Request.emit (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:668:14) at Request.transition (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/state_machine.js:14:12) at /Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:670:12) at Request.callListeners (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
Now I'm not sure what to do beacuse I think I'm doing things correctly according to the docs, but it's not working and the error message doesn't say why my access is denied... Any idea what the next step should be to get this working?
The "403 Access Denied" error can occur due to the following reasons: Your AWS Identity and Access Management (IAM) user or role doesn't have permissions for both s3:GetBucketPolicy and s3:PutBucketPolicy. The bucket policy denies your IAM identity permission for s3:GetBucketPolicy and s3:PutBucketPolicy.
The URL to the Amazon S3 object doesn't include your user credentials, so the request to the object is anonymous. Amazon S3 returns an Access Denied error for anonymous requests to objects that aren't public.
The problem was that my new IAM user didn't have a policy attached to it. I assigned it the AmazonS3FullAccess
policy and now it works.
As pointed out in the comments, a more restrictive policy would be much safer
This could also happen if you're trying to set ACL to "public-read" but the bucket is blocking public access. For example if you mean to upload static assets to a misconfigured S3 bucket. You can change it in your bucket settings.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With