S3 cp AccessDenied from AWS cli with root keys

Question

I have the AWS cli installed on an EC2 instance, and I configured it by running aws configure and giving it my AWSAccessKeyId and AWSSecretKey keys so if I run the command aws s3 ls it returns the name of my S3 bucket (call it "mybucket").

But, if I then try aws s3 cp localfolder/ s3://mybucket/ --recursive I get an error that looks like

A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Anonymous users cannot initiate multipart uploads.  Please authenticate.

I thought that by running aws configure and giving it my root key that I was effectively giving the aws cli everything it needs to authenticate? Is there something I am missing regarding copying to an S3 bucket as opposed to listing them?

Your IAM user/role will need to be assigned a Policy that allows it to perform the `CreateMultipartUpload` action - you can simulate policies through IAM to check whether it will work. — scrowler, Jul 27 '15 at 22:57
root access key and secret keys should have all the privileges. Try running the aws configure again - — Naveen Vijay, Jul 28 '15 at 05:20
Thanks @Naveen Based on your comment I tried using a different set of root keys I had on a different computer and it did work. I'm now puzzled as to why one set of root keys worked but the other did not. But at least your suggestion solved my problem. — not link, Jul 28 '15 at 20:03
I have added the same as answer for benefit for the community — Naveen Vijay, Jul 28 '15 at 20:10

ScottMcC · Answer 1 · 2020-04-20T02:00:46.467

27

Thought I would add in a very similar issue that I had where I could list buckets but could not write to a given bucket returning the error

An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied

If the bucket uses server-side encryption you'll need to add the --sse flag to be able to write to this bucket.

https://docs.aws.amazon.com/cli/latest/reference/s3/cp.html

edited Apr 20 '20 at 02:00

answered Sep 06 '17 at 05:55

ScottMcC

4,094
1
27
35

1

Thanks, that turned out to be my issue. – thc Nov 21 '18 at 23:11
do you mean `aws s3 cp --sse localfolder s3:///bucketname/`? that returns `error: argument --sse: Invalid choice` in my case – Dima Lituiev Apr 19 '20 at 20:50
3

`--sse` should be specified after (`aws s3 cp localfolder s3:///bucketname/ --sse`) – ScottMcC Apr 20 '20 at 02:00

score 10 · Accepted Answer · answered Jul 28 '15 at 20:09

10

Root Access keys and Secret key have full control and full privileges to interact with the AWS. Please try running the aws configure again to recheck the setting and try again.

PS: it is highly not recommended to use root access keys - please give a thought is creating an IAM ( which take admin privileges- like root ) and use those.

answered Jul 28 '15 at 20:09

Naveen Vijay

15,928
7
71
92

Even if I do `aws configure` again, it still doesn't work. – Paul Razvan Berg Dec 14 '18 at 23:54
**Update**: I was using non-root credentials, double check that. @Naveen Vijay is correct, you should be able to do anything with a root user, but be careful, for sensitive apps you should use IAM. – Paul Razvan Berg Dec 15 '18 at 00:04

score 8 · Answer 3 · answered Feb 22 '17 at 19:40

8

If you have environment variables AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID and AWS_REGION set, AWS CLI gives higher precedence to them, and not to credentials you specify with aws configure.

So, in my case, bash command unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY solved the problem.

answered Feb 22 '17 at 19:40

Mikhail Vasin

2,421
1
24
31

Thanks for this. I ended up commenting it out of my .zshrc. Don't forget that once you change your .bashrc or .zshrc, you need to restart your shell, or `source ~/.zshrc` for the changes to apply to your session. – jimbotron Aug 23 '19 at 23:48
this can be especially a case for ENVs in CI/CD tools – tymik Apr 28 '20 at 08:32

S3 cp AccessDenied from AWS cli with root keys

3 Answers3