18

I'm doing multipart upload via aws cli console but getting this error; 

A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied

Below is my policy, am I missing something in there?

Thanks.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::mybucket"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:CreateMultipartUpload",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": "arn:aws:s3:::mybucket/*"
        }
    ]
}

2 Answers2

19

The "s3:PutObject" handles the CreateMultipartUpload operation so I guess there is nothing like "s3:CreateMultipartUpload".

The thing you have to change in your s3 bucket ARN is like add also "Resource": "arn:aws:s3:::mybucket"

Final policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::mybucket"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                         "arn:aws:s3:::mybucket",
                         "arn:aws:s3:::mybucket/*"
                        ]
        }
    ]
}
ExploringApple
  • 1,348
  • 2
  • 17
  • 30
  • You are using the `"Resource"` key twice in your last block. last two lines. Not sure which one it's supposed to be. – init_js Nov 16 '18 at 12:04
  • You need both. One is for the bucket it's self, one is for objects in the buck (ending /*). Resource shout be an array [] with both in. – s27840 Mar 22 '19 at 17:44
  • use array of resources like `"Resource":["arn1","arn2"]` – Putnik Apr 04 '19 at 21:40
2

If it's cross accounts access, check it is not related to ACL headers as mentioned here: https://stackoverflow.com/a/34055538/1736679 (more info in this issue thread: https://github.com/aws/aws-cli/issues/1674)

Also double check the environment / user from which you are running to see if there are no overriding Keys (AWS_ACCESS_KEY, etc) in /etc/environment or ~/.aws/credentials

Efren
  • 4,003
  • 4
  • 33
  • 75