Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Unable to upload an object to cross account S3 bucket through console - ACLs disabled

0

Hi,

I have an S3 bucket in account A and it has ACLs disabled. Bucket policy allows account B user to upload objects. When I try to use CLI using account B access key, it works fine:

C:\Workspace>aws s3api put-object --bucket cross-account-bucket8211 --key maxi.jpg --body maxi.jpg { "ETag": ""e577962ae3715e26dc32a9c850be4bf9"", "ServerSideEncryption": "AES256" }

**However when I use AWS console, object fails to upload with error : **

Access control list (ACL) not supported Objects can only be added to this bucket if they use no access control list (ACL) or the bucket-owner-full-control canned ACL. Review ACL permissions for the source object and remove ACLs that grant read or write permissions others.

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
asked 2 years ago852 views
2 Answers
2
Accepted Answer

When you use the AWS CLI with the put-object command, the CLI automatically sets the x-amz-acl header to bucket-owner-full-control, which is a compatible ACL setting for your bucket. This allows the upload to succeed.

💡 You can find more information about the x-amz-acl header and its usage in the Amazon S3 documentation here.

However, in the AWS Console, the default behavior is to use the private ACL when uploading objects (Blocking all public access). Since your bucket has ACLs disabled, the Console upload fails with the error you've encountered.

Blocked All public access

💡 You can learn more about the effects of these rules by visiting the Block public access settings page in the Amazon S3 documentation.

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
AWS
EXPERT
reviewed 2 years ago
  • Prachi Kashikar
    2 years ago

    thanks for all the details. Is there a way to pass x-amz-acl when I upload through console? or do I have to enable ACL on my bucket to allow console to upload?

1

My team was struggling with this same use case. What we found was that the bucket policy needs to be changed (on the bucket owner's side, i.e. Account A) to permit s3:GetBucketOwnershipControls. This will allow the Account B user to retrieve the bucket's ownership settings and see that ACLs are disabled, and Account B user's console will no longer automatically try to send the upload request with ACL headers included.

AWS
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content