You don’t have permission to get object ACL
I am trying to move a file from one S3 Bucket to another S3 Bucket situated in two different AWS accounts using AWS Assume role and STS (Security Token Service) access. I am using below code to move the file b/w the buckets
const sourceCredentials = new aws.Credentials({
accessKeyId: <accessKeyId>,
secretAccessKey: <secretAccessKey>,
});
const sourceS3 = new aws.S3({
credentials: sourceCredentials
});
const sts = new aws.STS() // Initializing the AWS STS (Security Token Servce)
// Assume IAM role in the source account
const sourceRoleParams = {
RoleArn: <roleARN>,
RoleSessionName: 'AssumeRoleSession'
}
const assumedRole = await sts.assumeRole(sourceRoleParams).promise() // Assuming the Role to have the permission to copy the file to Destination bucket
const targetCredentials = new aws.Credentials({
accessKeyId: assumedRole.Credentials?.AccessKeyId,
secretAccessKey: assumedRole.Credentials?.SecretAccessKey,
sessionToken: assumedRole.Credentials?.SessionToken,
});
const targetS3 = new aws.S3({
credentials: targetCredentials
});
const sourceBucket = 'SourceBucket-Name';
const destinationBucket = 'DestinationBucket-Name' ;
let foldername = 'feed'
const copyParams = {
Bucket: destinationBucket,
CopySource: `/${sourceBucket}/<Filename>`,
Key: feed + '/' + fileKey
};
return sourceS3.copyObject(copyParams, (err, data) => {
if (err) {
logger.error('Error while copying file(s): ' + err);
return res.status(500).send({status: 'Error while copying file(s).'})
} else {
logger.info("Object copied successfully: ", data);
}
})
I can move the file successfully. But If I try to get the uploaded file using IAM user (with AmazonS3FullAccess policy) using AWS SDK, it says access denied. Even I've added permission to the Bucket policy as well. But of no use.
When I opened the file using the account's root user, it showed the below error.
Please let us know if I am correctly moving the file b/w the buckets. Please help to overcome this issue.
Thanks in advance Siva
- Newest
- Most votes
- Most comments
Hi Siva,
I would like to understand the permissions a little better. But from what I could understand, it seems like a permission issue while getting the object. With which user are you running the GET operation using SDK? Is it the user in the source account or the destination account?
I would suggest reading through this knowledge article. It provides some guidance on how to handle cross-account data copy in S3.
Hope this helps.
Hi Siva,
Apologies for the delayed response. When looking at the policy closely, I see that the last line in the source account user policy is missing an asterisk (*). That could be an issue.
I am willing to work with you on this issue if you'd like to give me access to your accounts.
Hi Mukul, Thanks for the response. Asterisk (*) was there in the policy. somehow it was not showing properly in the comment.
Hi Siva,
That's weird. I can help if you are OK to provide me access to the accounts. Let me know your thoughts.
Relevant content
- Accepted Answer
asked 6 years ago 
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 7 months ago
The user is in a destination account.
Hi Siva,
Looks like the permissions are not set appropriately in the destination account. It would be useful to share the bucket policy in the destination account.
The article I shared earlier provides a good overview of what is needed.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<SourceAccount-ID>:user/<SourceUser>" }, "Action": [ "s3:ReplicateObject", "s3:PutObject", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:GetObject", "s3:PutObjectRetention", "s3:RestoreObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::easedev-fileserver/*" } ] }
Hi Mukul,
I've followed the steps mentioned in https://repost.aws/en/knowledge-center/copy-s3-objects-account post.
I'm getting an access denied error while trying to upload a file.
Here is the bucket policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::692352210126:user/s3user" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::easedev-fileserver/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::692352210126:user/s3user" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::easedev-fileserver" } ] }
Source account user policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::nww-fileserver-bucket", "arn:aws:s3:::nww-fileserver-bucket/" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::easedev-fileserver", "arn:aws:s3:::easedev-fileserver/" ] } ] }