Getting Access Denied when calling the PutObject operation with bucket-level permission

Question

I followed the example on http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#iam-policy-example-s3 for how to grant a user access to just one bucket.

I then tested the config using the W3 Total Cache Wordpress plugin. The test failed.

I also tried reproducing the problem using

aws s3 cp --acl=public-read --cache-control='max-age=604800, public' ./test.txt s3://my-bucket/

and that failed with

upload failed: ./test.txt to s3://my-bucket/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied

Why can't I upload to my bucket?

Quick note based on the above comment for Serverless Framework users (I can't comment due to rep). Your AWS bucket arn `arn:aws:s3:::YourBucketName/*` should only be used when referencing the resource in `serverless.yml`. Only used the bucket name in the request `{ "Bucket": "YourBucketName" }`. — AndySO, Sep 30 '21 at 01:41

score 310 · Answer 1 · edited Feb 04 '19 at 09:20

310

To answer my own question:

The example policy granted PutObject access, but I also had to grant PutObjectAcl access.

I had to change

"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"

from the example to:

"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"

You also need to make sure your bucket is configured for clients to set a public-accessible ACL by unticking these two boxes:

edited Feb 04 '19 at 09:20

Pablo Fernandez

279,434
135
377
622

answered Mar 28 '16 at 22:29

Greg

12,119
5
32
34

3

Thank you! Not sure why Amazon's own documentation is off. You might want to include "s3:AbortMultipartUpload" as well so that an aborted upload can be properly cleared. – Hashcut Nov 01 '17 at 16:09
samples for S3 policies placed here https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html – E.Big Mar 01 '18 at 13:45
4

btw it doesn't work for me. boto3 interaction, even with s3fullaccess policy I'm gettin "AccessDenied for PutObject" – E.Big Mar 01 '18 at 13:46
OMG it should be made as ROLE but not as Policy. When I have created Role for S3 with the same content like policy - IT WORK – E.Big Mar 01 '18 at 15:06
4

In my case its working with AWS cli, but it is not wrokign with boto – Hardik Gajjar Mar 28 '18 at 07:12
thank you! It seems that "s3:DeleteObject" is not necessary – Zhenya Feb 15 '19 at 16:35
6

I had S3 full access but was missing the Block new public ACLs and uploading public objects. Thank you! – the_ccalderon Apr 02 '19 at 14:08
Sir you're a life saver! I stuck for several hours and finally run into your lovely answer. After unticking those 2 boxes, everything works fine. Honestly, the error should have provided more details instead of a simple "Access denied"... – anniex Oct 27 '20 at 04:42
I had all of these things and still could not PutObject - it was a policy in the endpoint for the VPC the lambda used, the specific bucket had to be allowed there, hopefully this helps someone not spend hours debugging like I had to! :D – DrCord Nov 20 '20 at 19:40
Note that when using versioned objects you additionally need the permission `s3:PutObjectVersionAcl` – Adam Lindberg Dec 08 '21 at 15:04

score 97 · Answer 2 · answered Apr 12 '18 at 16:33

97

I was having a similar problem. I was not using the ACL stuff, so I didn't need s3:PutObjectAcl.

In my case, I was doing (in Serverless Framework YML):

- Effect: Allow
  Action:
    - s3:PutObject
  Resource: "arn:aws:s3:::MyBucketName"

Instead of:

- Effect: Allow
  Action:
    - s3:PutObject
  Resource: "arn:aws:s3:::MyBucketName/*"

Which adds a /* to the end of the bucket ARN.

Hope this helps.

answered Apr 12 '18 at 16:33

movermeyer

1,502
2
13
19

17

I needed the one with /* – cyrf Jun 23 '19 at 06:26
this was the case for me also – Visualspark Jul 08 '20 at 20:25
Same here, thanks for the tip. I was integrating Sentry on-premise `filestore.backend: s3` endpoint – kachar Dec 08 '20 at 16:38
I too had to add the "/*" – Roger Creasy May 27 '21 at 18:47
It helped me too. – Yukti Agrawal Apr 08 '22 at 17:32
Yup adding a `/*` at the end did the trick – srx May 25 '22 at 11:12
this helped my case where I got the name of the `bucket` slightly wrong in the `Resource` – JobaDiniz Apr 28 '23 at 20:11

score 46 · Answer 3 · edited Sep 01 '22 at 13:16

46

If you have set public access for bucket and if it is still not working, edit bucket policy and paste following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::yourbucketnamehere",
                "arn:aws:s3:::yourbucketnamehere/*"
            ],
            "Effect": "Allow",
            "Principal": "*"
        }
    ]
}

Change yourbucketnamehere in above code with name of your bucket.

edited Sep 01 '22 at 13:16

Dylan w

2,565
1
18
30

answered Apr 26 '20 at 12:26

Den Pat

1,118
10
17

Worked for me, I created a new S3 bucket, made it fully public. Its writeable put_object, but fails when doing put_object w/ ACL= option. Odd ? – Doug F Aug 16 '20 at 05:38
Note that when using versioned objects you additionally need the permission `s3:PutObjectVersionAcl` – Adam Lindberg Dec 08 '21 at 14:49
When creating in IAM, i got an error and had to remove `"Principal": "*"` – Dylan w Sep 01 '22 at 13:19
Does work. Still gives me, `The bucket does not allow ACLs` – Cerin Nov 16 '22 at 05:36
@Cerin this has nothing to do with above rule, enable ACLs in permission tabs of S3 object. – Den Pat Nov 17 '22 at 09:56

score 22 · Answer 4 · answered May 27 '21 at 16:47

22

In my case the problem was that I was uploading the files with "--acl=public-read" in the command line. However that bucket has public access blocked and is accessed only through CloudFront.

answered May 27 '21 at 16:47

LachoTomov

3,312
30
42

2

This was a neat trick. reminds me to always ask what those args do :facepalm – Manish Ranjan Nov 08 '21 at 03:18
3

Same. Why didn't AWS show a more specific error message in this case. – Scofield Aug 05 '22 at 15:38
4

If this had higher number of votes, I would've saved 45 mins of my life :') – Vibhansh Feb 07 '23 at 14:11

score 15 · Answer 5 · answered Feb 13 '19 at 16:00

I was just banging my head against a wall just trying to get S3 uploads to work with large files. Initially my error was:

An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied

Then I tried copying a smaller file and got:

An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

I could list objects fine but I couldn't do anything else even though I had s3:* permissions in my Role policy. I ended up reworking the policy to this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::my-bucket/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "*"
        }
    ]
}

Now I'm able to upload any file. Replace my-bucket with your bucket name. I hope this helps somebody else that's going thru this.

I am also getting the following error: Missing required field Principal — Karan Sharma, Oct 23 '19 at 23:00
Beware: this will give your IAM User/role access to list the keys in all buckets. Use with care; ideally avoid ever using `"Resource": "*"`. — Darian Moody, Dec 03 '19 at 19:11
Add -- "Principal": "*", -- below "Effect": "Allow", to solve the issue with the missing required field — meck373, Jul 02 '20 at 08:18
Adding these both resources worked for me :) Thank you!! "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" — Malgo, Aug 11 '20 at 13:23

score 14 · Answer 6 · answered Sep 27 '18 at 13:27

14

In case this help out anyone else, in my case, I was using a CMK (it worked fine using the default aws/s3 key)

I had to go into my encryption key definition in IAM and add the programmatic user logged into boto3 to the list of users that "can use this key to encrypt and decrypt data from within applications and when using AWS services integrated with KMS.".

answered Sep 27 '18 at 13:27

PeskyGnat

2,454
19
22

This helped me. Thanks! Same error as permissions, but was in fact the encryption. – Vicente Rocha Nov 15 '19 at 13:35
https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html – Sam A. Oct 12 '20 at 11:41

score 11 · Answer 7 · answered Nov 29 '18 at 17:11

I had a similar issue uploading to an S3 bucket protected with KWS encryption. I have a minimal policy that allows the addition of objects under a specific s3 key.

I needed to add the following KMS permissions to my policy to allow the role to put objects in the bucket. (Might be slightly more than are strictly required)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:ListKeys",
                "kms:GenerateRandom",
                "kms:ListAliases",
                "s3:PutAccountPublicAccessBlock",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "kms:ImportKeyMaterial",
                "kms:ListKeyPolicies",
                "kms:ListRetirableGrants",
                "kms:GetKeyPolicy",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:ListResourceTags",
                "kms:ReEncryptFrom",
                "kms:ListGrants",
                "kms:GetParametersForImport",
                "kms:TagResource",
                "kms:Encrypt",
                "kms:GetKeyRotationStatus",
                "kms:GenerateDataKey",
                "kms:ReEncryptTo",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:<MY-REGION>:<MY-ACCOUNT>:key/<MY-KEY-GUID>"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
            <The S3 actions>
            ],
            "Resource": [
                "arn:aws:s3:::<MY-BUCKET-NAME>",
                "arn:aws:s3:::<MY-BUCKET-NAME>/<MY-BUCKET-KEY>/*"
            ]
        }
    ]
}

Awesome. I copied the permissions from the default managed `aws/s3` key to an IAM policy attached to a role (not in the KMS policy), and it works well. The only actions I needed against the KMS ARNs were: `kms:Encrypt`, `kms:Decrypt`, `kms:ReEncrypt*`, `kms:GenerateDataKey*`, `kms:DescribeKey`. Then just the standard S3 permissions. — z0r, Mar 30 '20 at 08:43

score 7 · Answer 8 · answered Aug 23 '20 at 17:25

I encountered the same issue. My bucket was private and had KMS encryption. I was able to resolve this issue by putting in additional KMS permissions in the role. The following list is the bare minimum set of roles needed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "AllowAttachmentBucketWrite",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "kms:Decrypt",
            "s3:AbortMultipartUpload",
            "kms:Encrypt",
            "kms:GenerateDataKey"
        ],
        "Resource": [
            "arn:aws:s3:::bucket-name/*",
            "arn:aws:kms:kms-key-arn"
        ]
    }
  ]
}

Reference: https://aws.amazon.com/premiumsupport/knowledge-center/s3-large-file-encryption-kms-key/

score 6 · Answer 9 · answered Jun 18 '18 at 20:54

I was having the same error message for a mistake I made: Make sure you use a correct s3 uri such as: s3://my-bucket-name/

(If my-bucket-name is at the root of your aws s3 obviously)

I insist on that because when copy pasting the s3 bucket from your browser you get something like https://s3.console.aws.amazon.com/s3/buckets/my-bucket-name/?region=my-aws-regiontab=overview

Thus I made the mistake to use s3://buckets/my-bucket-name which raises:

An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

score 4 · Answer 10 · answered Sep 30 '20 at 04:01

4

Error : An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

I solved the issue by passing Extra Args parameter as PutObjectAcl is disabled by company policy.

s3_client.upload_file('./local_file.csv', 'bucket-name', 'path', ExtraArgs={'ServerSideEncryption': 'AES256'})

answered Sep 30 '20 at 04:01

aakash gouda

51
2

1

I add "--sse" with aws cli and it's worked nice, thx – Maxence Lecointe Mar 03 '21 at 10:54

score 4 · Answer 11 · answered Dec 26 '21 at 01:38

I got this error too: ERROR AccessDenied: Access Denied

I am working in a NodeJS app that was trying to use the s3.putObject method. I got clues from reading the many other answers above, so I went to the S3 Bucket, clicked on the Permission tab, then scrolled down to the Bucket Policy section and noticed there was a condition required for access.

So I added a ServerSideEncryption attribute to my params for the putObject call.

This finally worked for me. No other changes, such as any encryption of the message, are required for the putObject to work.

score 2 · Answer 12 · answered May 20 '20 at 15:54

Similar to one post above, (except I was using admin credentials) to get S3 uploads to work with large 50M file.

Initially my error was:

An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied

I switched the multipart_threshold to be above the 50M

aws configure set default.s3.multipart_threshold 64MB

and I got:

An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

I checked bucket public access settings and all was allowed. So I found that public access can be blocked on account level for all S3 buckets:

score 2 · Answer 13 · answered Apr 06 '21 at 18:10

I also solved it by adding the following KMS permissions to my policy to allow the role to put objects in this bucket (and this bucket alone):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

You can also test your policy configurations before applying them with the IAM Policy Simulator. This came in handy to me.

score 2 · Answer 14 · answered May 28 '21 at 19:44

In my case I had an ECS task with roles attached to it to access S3, but I tried to create a new user for my task to access SES as well. Once I did that I guess I overwrote some permissions somehow.

Basically when I gave SES access to the user my ECS lost access to S3.

My fix was to attach the SES policy to the ECS role together with the S3 policy and get rid of the new user.

What I learned is that ECS needs permissions in 2 different stages, when spinning up the task and for the task's everyday needs. If you want to give the containers in the task access to other AWS resources you need to make sure to attach those permissions to the ECS task.

My code fix in terraform:

data "aws_iam_policy" "AmazonSESFullAccess" {
  arn = "arn:aws:iam::aws:policy/AmazonSESFullAccess"
}

resource "aws_iam_role_policy_attachment" "ecs_ses_access" {
  role       = aws_iam_role.app_iam_role.name
  policy_arn = data.aws_iam_policy.AmazonSESFullAccess.arn
}

score 2 · Answer 15 · answered Sep 29 '22 at 07:43

2

I was facing the similar issue so checked the permission tab in the AWS bucket. The public access was blocked which was causing the issue in my case so I unchecked the option and it worked. enter image description here

answered Sep 29 '22 at 07:43

Faisal Imran

36
3

score 1 · Answer 16 · answered Jan 28 '20 at 00:30

1

For me I was using expired auth keys. Generated new ones and boom.

answered Jan 28 '20 at 00:30

remjx

4,104
3
34
32

score 1 · Answer 17 · edited Sep 27 '22 at 19:33

My problem was that my source (an ec2 instance) had an IAM role attached that didn't allow any write actions, so even though the bucket policy was correct, I couldn't write anything to anywhere from it. I solved it by adding this policy to the IAM role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::destination-bucket/destination-path/*"
            ]
        }
    ]
}

score 0 · Answer 18 · answered Apr 08 '20 at 07:29

If you have specified your own customer managed KMS key for S3 encryption you also need to provide the flag --server-side-encryption aws:kms, for example:

aws s3api put-object --bucket bucket --key objectKey --body /path/to/file --server-side-encryption aws:kms

If you do not add the flag --server-side-encryption aws:kms the cli displays an AccessDenied error

score 0 · Answer 19 · answered Jul 17 '20 at 13:15

0

I was able to solve the issue by granting complete s3 access to Lambda from policies. Make a new role for Lambda and attach the policy with complete S3 Access to it.

Hope this will help.

answered Jul 17 '20 at 13:15

deep bajaj

61
1
1

cosbor11 · Answer 20 · 2023-03-23T22:24:51.113

0

Verify that your awsClient config makes use of credentials provider and is finding the correct credentials
Verify that the assumed role has a policy that grants it s3:PutObject on the bucket and the contents of the bucket /*
Verify the name of the bucket is correct
Verify the ACL action on the PutObjectRequest is granted in your policy and is applicable to your usecase

edited Mar 23 '23 at 22:24

answered Mar 23 '23 at 22:02

cosbor11

14,709
10
54
69

score 0 · Answer 21 · answered May 04 '23 at 12:32

0

In my access, access of S3 bucket was not provided to the IAM role attached with the EC2 instance I was trying to access so please verify once if S3 access is provided to that EC2 or not.

Hope it works for someone.

answered May 04 '23 at 12:32

vish anand

111
1
4

score -1 · Answer 22 · answered May 02 '21 at 10:14

-1

In addition, I have set the permission for the group to which the user belongs to.

answered May 02 '21 at 10:14

Dinesh Kumar P

1,128
2
18
32

Getting Access Denied when calling the PutObject operation with bucket-level permission

22 Answers22

Linked