Unable to access the S3 bucket after the IAM user was recreated

3 minutos de lectura
Nivel de contenido: Intermedio
5

If you delete and recreate the user, please update the S3 bucket policy with the user ARN to grant user permission on the bucket.

Customer complained that an IAM user was unable to access an S3 bucket after the user was recreated in the IAM console. The customer thought that the new user had been granted permission using its ARN in the S3 bucket policy because the old user and new user had the same username. However, once the old user was deleted, the user ARN in the S3 bucket policy was changed to the unique ID of the old user. The S3 bucket policy did not grant the new user any permission, and the new user got an access denied error when accessing the S3 bucket. To resolve the issue, the customer should update the S3 bucket policy with the ARN of the user.

Please see the steps to reproduce the issue below:

  1. AWS CLI user configuration:
$ aws configure --profile s3testuser
AWS Access Key ID [None]: OldAccessKeyID
AWS Secret Access Key [None]: OldSecretAccessKey
Default region name [None]: us-east-1
Default output format [None]: json

$ export AWS_PROFILE=s3testuser

$ aws sts get-caller-identity
{
    "UserId": "AIDACKCEVSQ6C2EXAMPLE",      <========== Old user ID.
    "Account": "111122223333",
    "Arn": "arn:aws:iam::111122223333:user/s3testuser"
}
  1. S3 Bucket Policy grants user permission on bucket:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:user/s3testuser"   <========== User ARN. 
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucketnamehere",
                "arn:aws:s3:::mybucketnamehere/*"
            ]
        }
    ]
}
  1. User can access the bucket:
$ aws s3 ls s3://mybucketnamehere
2024-06-21 02:27:27      80755 1.JPG

$ aws s3 cp s3://mybucketnamehere/1.JPG .
download: s3://mybucketnamehere/1.JPG to ./1.JPG
  1. Delete the user from the IAM console.

  2. S3 Bucket Policy is changed:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "AIDACKCEVSQ6C2EXAMPLE"  <========== Changed from user ARN to user ID.
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucketnamehere",
                "arn:aws:s3:::mybucketnamehere/*"
            ]
        }
    ]
}
  1. Recreate the user with the same username and configure user profile:
$ aws configure --profile s3testuser
AWS Access Key ID [****************]: NewAccessKeyID
AWS Secret Access Key [****************]: NewSecretAccessKey
Default region name [us-east-1]:
Default output format [json]:

$ export AWS_PROFILE=s3testuser

$ aws sts get-caller-identity
{
    "UserId": "AIDAT2GQOK7BGGEXAMPLE",   <========== New user ID.
    "Account": "111122223333",
    "Arn": "arn:aws:iam::111122223333:user/s3testuser"
}
  1. New user gets Access Denied:
$ aws s3 ls s3://mybucketnamehere
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

$ aws s3 cp s3://mybucketnamehere/1.JPG .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
  1. Update the S3 bucket policy with user ARN:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:user/s3testuser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucketnamehere",
                "arn:aws:s3:::mybucketnamehere/*"
            ]
        }
    ]
}
  1. New user accesses the S3 bucket successfully:
$ aws s3 ls s3://mybucketnamehere
2024-06-21 02:27:27      80755 1.JPG

$ aws s3 cp s3://mybucketnamehere/1.JPG .
download: s3://mybucketnamehere/1.JPG to ./1.JPG

Summary: If you delete and recreate the user, please update the S3 bucket policy with the user ARN to grant user permission on the bucket.

References: [1] AWS IAM User Guide - Policies and Permissions

profile pictureAWS
EXPERTO
Tyler
publicado hace 3 meses3942 visualizaciones
4 comentarios

Thanks for Sharing this Great Info

profile picture
respondido hace 3 meses

Juicy ones!

John G
respondido hace 3 meses

Great job!

respondido hace 3 meses

Very interesting, thank you for sharing this information."

profile picture
respondido hace un mes