Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why do I get an Access Denied error for ListObjectsV2 when I run the sync command on my Amazon S3 bucket?

3 minute read
4

I'm running the aws s3 sync command to copy objects to or from an Amazon Simple Storage Service (Amazon S3) bucket. But I get an Access Denied error when I make the ListObjectsV2 API call.

Short description

When you run the sync command, Amazon S3 issues the ListObjectsV2 API call to check whether the object exists in the source or destination bucket. If the object doesn't exist in either bucket, then Amazon S3 performs the following API calls:

  • CopyObject call for a bucket to bucket operation
  • GetObject for a bucket to local operation
  • PutObject for a local to bucket operation

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Configure the IAM policy

Note: This resolution assumes that the GetObject and PutObject actions are already granted to the AWS Identity Access Management (IAM) user or role. This resolution addresses how to resolve the Access Denied error caused by improper ListBucket permissions or by incorrect sync command syntax with Requester Pays.

Verify that you have the s3:ListBucket permission on the Amazon S3 buckets that you'll copy objects to or from. You must have this permission to perform ListObjectsV2 API call actions.

If your IAM user or role belongs to another AWS account, then check whether your IAM and bucket policies permit the s3:ListBucket action. You must have s3:ListBucket permission on both your IAM policy and bucket policy.

If your user or role belongs to the bucket owner's account, then you don't need both the IAM and bucket policies to allow s3:ListBucket. You need only one of the policies to allow the s3:ListBucket action.

Important: If either the IAM policy or bucket policy already allows the s3:ListBucket action, then check the other policy for statements that explicitly deny the action. An explicit deny statement overrides an allow statement.

The following example IAM policy grants s3:ListBucket permission:

{  
  "Version": "2012-10-17",  
  "Statement": [{  
    "Sid": "Stmt1546506260896",  
    "Action": "s3:ListBucket",  
    "Effect": "Allow",  
    "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET"  
  }]  
}

The following example bucket policy grants the user arn:aws:iam::123456789012:user/testuser permissions for s3:ListBucket:

{  
  "Id": "Policy1546414473940",  
  "Version": "2012-10-17",  
  "Statement": [{  
    "Sid": "Stmt1546414471931",  
    "Action": "s3:ListBucket",  
    "Effect": "Allow",  
    "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET",  
    "Principal": {  
      "AWS": [  
        "arn:aws:iam::123456789012:user/testuser"  
      ]  
    }  
  }]  
}

Use the sync command with Requester Pays

If your bucket belongs to another account and has Requester Pays activated, then verify that your bucket policy and IAM policy both grant ListObjectsV2 permissions. If the ListObjectsV2 permissions are properly granted, then check your sync command syntax. If you don't include the --request-payer requester option when you run the sync command, then you get an Access Denied error.

For example, run the following sync command, but replace requester-pays-bucket with your bucket's name:

aws s3 sync ./ s3://requester-pays-bucket/ --request-payer requester

Related information

Bucket owner granting cross-account bucket permissions

Identity-based policies for Amazon S3

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English

Related videos

Watch Manoj's video to learn more (4:33)
Watch Manoj's video to learn more (4:33)
AWS OFFICIALUpdated a year ago
No comments

Relevant content