Protected bucket @ S3 – Access Denied

amazon s3amazon-web-servicescloudberry

I'm trying to grant RW access to a given bucket to a specific user using the following bucket policy:

{
  "Id": "Policy1322043790167",
  "Statement": [
    {
      "Sid": "Stmt9999043784080",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::private_bucket/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::999903749999:user/my.username.under.my.aws.account"
        ]
      }
    }
  ]
}

As far as I can notice it's pretty equals to the examples at http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?AccessPolicyLanguage_UseCases_s3_a.html and I've followed what is documented at http://docs.amazonwebservices.com/IAM/latest/GettingStartedGuide/index.html?SetUpAdminsGroup.html

Bu it's not working. Using the user AWS Key and Secret Key with the .NET SDK or with CloudBerry Explorer I get an "Access Denied" error.

What am I missing?

The following log is a snippet of the operations log tried by Cloudberry:

System.Net.WebException O servidor remoto retornou um erro: (403)
Proibido. em System.Net.HttpWebRequest.GetResponse() em db.A(dD
, Action`1 , HttpWebRequest , dW )

2011-11-23 08:36:10,505 [S3] [4] INFO – InternalListBucketCall start,
bucket: secured_bucket, prefix: , marker: , maxkeys: 1, delimiter: /
2011-11-23 08:36:11,388 [S3] [4] ERROR – Http response status: 403:
Forbidden 2011-11-23 08:36:11,390 [S3] [4] ERROR – Http response
header: x-amz-request-id: 70941BB8654CE12E 2011-11-23 08:36:11,392
[S3] [4] ERROR – Http response header: x-amz-id-2:
JssG1wXtZSjiGO8oVb9B46NNkn24TpZToD4u/KZAFaPBFBECF7YDMPnckVpyhaDE
2011-11-23 08:36:11,394 [S3] [4] ERROR – Http response
header: Transfer-Encoding: chunked 2011-11-23 08:36:11,396 [S3] [4]
ERROR – Http response header: Content-Type: application/xml 2011-11-23
08:36:11,398 [S3] [4] ERROR – Http response header: Date: Wed, 23 Nov
2011 10:36:31 GMT 2011-11-23 08:36:11,400 [S3] [4] ERROR – Http
response header: Server: AmazonS3 2011-11-23 08:36:11,402 [S3] [4]
ERROR –
AccessDeniedAccess
Denied70941BB8654CE12EJssG1wXtZSjiGO8oVb9B46NNkn24TpZToD4u/KZAFaPBFBECF7YDMPnckVpyhaDE
2011-11-23 08:36:11,404 [S3] [4] ERROR – InternalListBucketCall failed
for bucket: secured_bucket, prefix: , marker: , maxkeys: 1, delimiter:
/ CloudBerryLab.Base.Exceptions.Status403Exception Access Denied

2011-11-23 08:36:11,407 [UI] [4] ERROR – Operation completed with
errors. Click Details for more information.
CloudBerryLab.Base.Exceptions.Status403Exception Access Denied em
kT.A(String , String , String , Int32 , String , FH ) em
kT.B(String , String ) em kM.a(String , Boolean ) em HW.a(String
, Boolean ) em HW.A(String ) em
CloudBerryLab.Explorer.Console.Controls.PluginArea.A(Object ,
DoWorkEventArgs )

2011-11-23 08:36:18,776 [Base] [11] INFO – PROCESSOR_ARCHITECTURE=x86

Best Answer

I'm no s3 expert but have you tried giving it the ListAllMyBuckets privilege? I had this problem when trying to access s3 using s3cmd from an ec2 instance even though I granted all privileges with :* I had to explicitly give the ListAllMyBuckets privilege:

"Sid": "Stmt1397683550000",
  "Effect": "Allow",
  "Action": [
    "s3:ListAllMyBuckets"
  ],
  "Resource": [
    "arn:aws:s3:::mybucketname"
  ]
Related Topic