AWS S3 Access Denied on delete

Question

I have a bucket that I can write to with no problem. However, when I try to delete an object, I get an error ...

AccessDeniedException in NamespaceExceptionFactory.php line 91

Following the very basic example here, I came up with this command ...

$result = $s3->deleteObject(array(
                'Bucket' => $bucket,
                'Key'    => $keyname
            ));

I have tried variations of this based upon other tutorials and questions I have found.

$result = $s3->deleteObject(array(
                'Bucket' => $bucket,
                'Key'    => $keyname,
                'Content-Type'  => $contentType,
                'Content-Length' => 0
            ));

But everything produces the same error. Any suggestions?

score 13 · Answer 1 · edited Sep 18 '20 at 03:12

It's quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes).

You can check if you really have access to the specific bucket actions, use the iam get-role-policy API to view the permissions you have for the role that you are using to try to delete. Here is an example:

$ aws iam get-role-policy --role-name <<your-role-name>> --policy-name <<your-policy-name>>

{
    "RoleName": "myrolename,
    "PolicyDocument": {
        "Version": "yyyy-mm-dd",
        "Statement": [
            {
                "Action": [
                    "s3:AbortMultipartUpload",
                    "s3:DeleteObject",
                    "s3:Get*",
                    "s3:List*",
                    "s3:ListBucket",
                    "s3:PutObject*"
                ],
                "Resource": [
                    "arn:aws:s3:::bucket1/*",
                    "arn:aws:s3:::bucket2/*"                ],
                "Effect": "Allow",
                "Sid": "yyyy"
            }
        ]
    },
    "PolicyName": "mypolicyname"
}

Most likely in your case, you may not have the "s3:DeleteObject" action for that resource (bucket/prefix)

This fixed a problem I was having. Thanks! – Aurelia Peters Feb 20 '20 at 20:36 — Aurelia Peters, Feb 20 '20 at 20:36

score 4 · Answer 2 · answered Mar 07 '17 at 22:27

4

User may be able to create an object in a bucket doesn't necessarily imply that the same user can deleted the object that he/she may have created.

S3 permission can be granular at the resource level (bucket/prefix) where the action that your role can take could be one or many of the permissions (see: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html)

It looks like you are having s3:PutObject permission but not s3:DeleteObject.

answered Mar 07 '17 at 22:27

Ravi Ramanujam

211
1
3

1

How can a user have read/ write permissions and not delete? The description on mouse over for this permissions says it includes delete. – Joshua Foxworth Mar 07 '17 at 22:45
Its quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes). – Ravi Ramanujam Mar 08 '17 at 14:43
1

for serverless project you may add "s3:DeleteObject" into "provider: iamRoleStatements: Action" parameter in serverless.yml file – lexa-b Mar 14 '18 at 13:15
completely forgot i didnt' added this on my config. thanks – RicardoDuarte Feb 12 '19 at 01:12

score 0 · Answer 3 · answered Jun 22 '23 at 12:41

0

In My case, i enable MFA access. According AWS when MFA is activated is, to write in bucket, you will need a root access_key. Doing this, solved my problem.

More details here: https://repost.aws/knowledge-center/s3-bucket-mfa-delete

answered Jun 22 '23 at 12:41

Crystyan S. Santos

51
1
2

AWS S3 Access Denied on delete

3 Answers3

Linked