Access denied to S3 bucket from AWS CLI

0

Hi,

I'm able to access a S3 bucket from the console. But when I try to use AWS CLI command 'aws s3 ls s3://<bucket name>/, I get message 'An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied'. The CLI profile region is the same as the S3 bucket region. The access key and secret access key are all correct. What could I have missed? Thanks.

3 Answers
0
Accepted Answer

Thanks all for your advice. Root cause was identified and issue was resolved now. The MFA was enforced in CLI and temporary token was not setup in the profile hence unable to access the AWS services from CLI. The MFA enforcement has been removed for the AWS service I need to access in CLI and it's working now.

answered a year ago
profile picture
EXPERT
reviewed 2 months ago
0

Hi, You should verify that your cli profile is known:

aws configure list-profiles

then check the identity under which you will run your cli command:

aws sts get-caller-identity

Finally, you may run

aws sts get-caller-identity --profile (name of the profile you want to view)
profile pictureAWS
EXPERT
answered a year ago
  • Hi Didier, thanks for the quick response. The result from running the first command above is 'default'. And when I run the 3rd command 'aws sts get-caller-identity --profile default', I got the same result as the 2nd command.

  • Ok. Good. Is then 'default' the profile containing the access / secret key that you expect ? If yes, check in IAM console that this key pair is attached to the user that you use in the console. That will ensure that the console credentials that work apply also to key pair in default profile.

0

Hi,

Could you check if your IAM user has the required permission to access the bucket? You will need a policy similar to the following to access the bucket objects

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket"
          ],
          "Resource": [
              "arn:aws:s3:::bucketname"
          ]
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:GetObject"
          ],
          "Resource": [
              "arn:aws:s3:::bucketname/*"
          ]
      }
  ]
}
profile picture
Bisina
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions