Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why might boto be denied access to S3 with proper IAM keys?

Tags:

amazon-s3

boto

amazon-iam

I am trying to access a bucket on S3 with boto. I have been given read access to the bucket and my keys are working when I explore it in S3 Browser. The following code is returning 403 Forbidden Access Denied.

conn = S3Connection('Access_Key_ID', 'Secret_Access_Key')
conn.get_all_buckets()

This also occurs when using the access key and secret access key via the boto config file. Is there something else I need to be doing because the keys are from IAM perhaps? Could this indicate an error in the setup? I don't know much about IAM, I was just given the keys.

like image 387
rhnoble Avatar asked Sep 13 '12 17:09

rhnoble

People also ask

Why is my S3 Access Denied?

If you're getting Access Denied errors on public read requests that are allowed, check the bucket's Amazon S3 Block Public Access settings. Review the S3 Block Public Access settings at both the account and bucket level. These settings can override permissions that allow public read access.

Why am I getting an access denied error from the Amazon S3 console when I try to modify a bucket policy?

Short description. The "403 Access Denied" error can occur due to the following reasons: Your AWS Identity and Access Management (IAM) user or role doesn't have permissions for both s3:GetBucketPolicy and s3:PutBucketPolicy.

2 Answers

Some things to check...

  • If you are using boto, be sure you are using conn.get_bucket(bucket_name) to access only the bucket you have permission to access.

  • In your IAM (user) policy, if you are restricting access to a single bucket, be sure that the policy includes adequate permissions to the bucket and do not include a trailing slash+asterisks for the ARN name (see example below).

  • Be sure to set "Upload/Delete" permissions for "Authenticated Users" in S3 for the bucket.

Permissions sample:

enter image description here

IAM policy sample:

NOTE: The SID will be automatically generated when using the policy generator

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:*"
      ],
      "Sid": "Stmt0000000000001",
      "Resource": [
        "arn:aws:s3:::myBucketName"
      ],
      "Effect": "Allow"
    }
  ]
}
like image 70
Vyke Avatar answered Sep 30 '22 17:09

Vyke

My guess is that it's because you're calling conn.get_all_buckets() instead of conn.get_bucket(bucket_name) for the individual bucket you have access to.

like image 25
user59200 Avatar answered Sep 30 '22 17:09

user59200
Sign in to Comment

Related questions

Handling S3 Bucket Trigger Event in Lambda Using Python
Configure Nginx for aws s3 static and media files
boto3 S3: get_object error handling
Spark writing/reading to/from S3 - Partition Size and Compression
Iterate over files in an S3 bucket with folder structure
S3 Select CSV Headers
boto3 copy vs copy_object regarding file permission ACL in s3
Terraform AWS S3 to Lambda Notification Trigger
Identifying and deleting S3 Objects that are not being accessed?
Creating presigned url for a S3 folder in python
Storing many small files (on S3)?
How can I bypass the 10MB limit of AWS API gateway and POST large files to AWS lambda?
search in each of the s3 bucket and see if the given folder exists
Creating large zip files in AWS S3 in chunks
Hotlinking Twitter avatar images?
PHP save remote image to Amazon S3
Amazon S3 bucket policy for anonymously uploading photos to a bucket
best amazon s3 gem with rails 3.1.3
Why is my S3 pre-signed request invalid when I set a response header override that contains a "+"?
Ruby AWS::S3::S3Object (aws-sdk): Is there a method for streaming data as there is with aws-s3?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!