AWS CLI s3 copies with 403 error trying to administer user-loaded object

Question

AWS CLI s3 copies with 403 error trying to administer user-loaded object

Attempting to copy a file from the S3 bucket to the local computer:

aws s3 cp s3://my-bucket-name/audio-0b7ea3d0-13ab-4c7c-ac66-1bec2e572c14.wav ./

fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

Things I confirmed:

I am using version aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-75-generic botocore/1.4.70
The string of the S3 object is correct. I copied it directly from the S3 web interface.
The AWS CLI is configured with valid credentials. I created a new key / secret pair. I deleted the ~ / .aws folder before re-configuring aws cli. The IAM online web interface confirms that the arn-specific user actually uses S3 through the CLI.
An IAM user is provided with an S3 full access control policy for this SO message . I deleted all of these user policies, and then added only an AWS managed policy called "AdministratorAccess" that includes "S3, Full Control, All Resources." Is there any other way to provide access through the CLI? I did not believe in that.

The bucket policy is designed to provide wide open access:

    {
        "Sid": "AdminAccess",
        "Effect": "Allow",
        "Principal": "*",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::my-bucket-name",
            "arn:aws:s3:::my-bucket-name/*"
        ]
    }

How did I upload this object?

I downloaded this object using the AWS Signature v4 subscription download policy from a web application in the client browser directly in AWS.

+8

amazon-s3 amazon-web-services aws-cli

Charney kaye May 18, '17 at 14:49

source share

5 answers

AWS S3 Forbidden (403), . , s3 .

0

tom 18 '17 14:54

s3 , . , bucket , . . .

0

watsonic 14 . '17 6:32

, , S3, , . .

0

pawel.uramowski 20 . '18 13:13

3 (A1, A2, A3) 3 (canonical_user_account_A1, canonical_user_account_A2, canonical_user_account_A3) 1 IAM (R1), A3.

A2 canonical_user_account_A1 ( ). , , , ,

fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

I added the resolution Listand Getfor R1politics basket and resolutions role in this case that's not enough, if the account in which a bucket is not the owner, can not afford to users from another account get(download) files. So I needed to make sure that when downloading files I use:

    access_control_policy = {
    'Grants': [
        {
            'Grantee': {
                'ID': canonical_user_account_A2,
                'Type': 'CanonicalUser'
            },
            'Permission': 'READ'
        },
        {
            'Grantee': {
                'ID': canonical_user_account_A3,
                'Type': 'CanonicalUser'
            },
            'Permission': 'READ'
        },
    ],
    'Owner': {
        'ID': canonical_user_account_A1
    }
}

upload_extra_args = {'ACL': 'bucket-owner-full-control'}

s3_client.upload_file(file_path, bucket_name, s3_file_path, ExtraArgs=upload_extra_args)

s3_client.put_object_acl(AccessControlPolicy=access_control_policy, Bucket=bucket_name, Key=s3_file_path)

This allows both canonical_user_account_A2and canonical_user_account_A3read and download the file.

0

shlomiLan Jun 24 '19 at 20:32

source share

Charney Kaye · Accepted Answer · 2017-05-23T17:54:31+0000

, , , OBJECT "", "" .

, ( ). . "" , GET -. , . S3 , .

, POST'ed , "".

acl=bucket-owner-full-control, . , "", () , AWS CLI.

, acl=ec2-bundle-read AWS SDK. . https://github.com/aws/aws-sdk-java/blob/7844c64cf248aed889811bf2e871ad6b276a89ca/aws-java-sdk-ec2/src/main/java/com/amazonaws/services/ec2/util/S3UploadPolicy.java#L77

S3UploadPolicy.java (, , ) , acl=bucket-owner-full-control. , AWS CLI.

AWS CLI s3 copies with 403 error trying to administer user-loaded object

More articles: