Unable to list s3 buckets using IAM user with AdministratorAccess and AmazonS3FullAccess

0

Hello Folks,

I created an IAM user as per best practice and granted this user the following policies:

  1. AdministratorAccess { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
  2. AmazonS3FullAccess { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", "s3-object-lambda:*" ], "Resource": "*" } ] }

And configured the AWS CLI to use the Access keys for the IAM user. When trying to list all the buckets on the account using the IAM user, I am getting the following error: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Don't understand why it's returning an AccessDenied error as the IAM user has the necessary permission to be able to run any action on any resource. Would appreciate some help/guidance on this. Thank you!

2 Answers
3
Accepted Answer

There could be a mismatch somewhere, run aws configure list to show the actual credentials that you are using in the AWS CLI right now, and verify that the (partially obscured) access_key and secret_key are those that you expect to be using.

profile picture
EXPERT
Steve_M
answered a year ago
profile picture
EXPERT
reviewed 5 months ago
  • Thank you for your answer on this. I ran: aws configure list and the access_key and secret_key are what I'm expecting the CLI to use. When I run: aws s3 ls (using the root accounts' access key), the buckets are returned without an issue. Don't understand why I'm not able to do the same with the IAM User with admin permissions.

  • As the root user, aws iam list-attached-user-policies --user-name [the_iam_user] and confirm it's definitely got "PolicyName": "AdministratorAccess" and "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess".

    And also as the root user, aws iam list-access-keys --user-name [the_iam_user] the AccessKeyId is definitely what you expect it to be, and its status is Active ?

  • You were right on the money. After running aws iam list-attached-user-policies --user-name [the_iam_user], I noticed AdministratorAccess was not one of the policies attached to the IAM user. I was attaching the policies from a group, for some reason the user didn't inherit the permissions of the group. I added the policy directly to the IAM user and that resolved the issue. Thanks a lot for your help.

1

Run the following command to make sure you are the principle you think you are.

aws sts get-caller-identity

If that is correct, check to see if there is a bucket policy on the bucket that might be denying your request.

profile pictureAWS
EXPERT
kentrad
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions