0

Can anyone explain this behaviour:

When I try to download a file from S3, I get the following error:

An error occurred (403) when calling the HeadObject operation: Forbidden.

Commandline used:

aws s3 cp s3://bucket/raw_logs/my_file.log .

However, when I use the S3 console website, I'm able to download the file without issues.

The access key used by the commandline is correct. I verified this, and other AWS operations via commandline work fine. The access key is tied to the same user account I use in the AWS console.

Jeroen Jacobs
  • 1,423
  • 3
  • 16
  • 32

2 Answers2

1

So I assume you're sure about the IAM policy of your user and the file exists in your bucket

If you have set a default region in your configuration but the bucket has not been created in this region (Yes s3 buckets are created in a region), it will not find it. Make sure to add the region flag to the CLI

aws s3 cp s3://bucket/raw_logs/my_file.log . --region <region of the bucket>

Other notes:

  • make sure to upgrade to latest version
  • can be cause if system clock is not synchronized, if you're not indicating any synchronize params, it might be ok but I dont know the internal and for some commands the CLI is looking at the system clock to compare to S3, if you're out of sync it might cause issues
Community
  • 1
  • 1
Frederic Henri
  • 51,761
  • 10
  • 113
  • 139
0

I had a similar issue due to having two-factor authentication enabled on my account. Check out how to configure 2FA for the aws cli here: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

Mark Sparhawk
  • 1
  • Welcome to Stack Overflow! A link to a solution is welcome, but please ensure your answer is useful without it: [add context around the link](//meta.stackexchange.com/a/8259/165483) so your fellow users will have some idea what it is and why it’s there, then quote the most relevant part of the page you're linking to in case the target page is unavailable. [Answers that are little more than a link may be deleted.](//stackoverflow.com/help/deleted-answers) – Samuel Liew Dec 04 '18 at 03:04
  • It might be even easier to add your mfa_serial to your ~/.aws/config file. Next time an AssumeRole Call is made, the cli is asking for a token. See description of mfa_serial at https://docs.aws.amazon.com/cli/latest/topic/config-vars.html – Matthias Wiedemann Feb 07 '20 at 00:56