- Newest
- Most votes
- Most comments
If you are seeing this "API: s3:CreateBucket Access Denied " error with and without setting Bucket policy and Ownership Controls, that means role/user is missing permissions to create bucket.
IAM role/User should have following permissions:
s3:CreateBucket
s3:PutBucketAcl
Make sure, Resource part of role policy allows the pattern/name which you are trying to create as.
Try adding following in your template(specially, when you are trying to put ACL options as well in the template):
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerPreferred
Additionally, make sure that createbucket action is not denied in Service Control Policy or being limited through Permissions Boundary.
Even if I add Ownership, it throws AccessDenied when I have the AccessControl: AuthenticatedRead property set. Also, I tried setting the Policy like you mentioned (below). But it throws "Malformed Policy Error". Not sure what I am doing wrong. TestBucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref TestBucket PolicyDocument: Statement: - Action: - 's3:GetObject' Effect: Allow Principal: AWS: - !Sub "arn:aws:iam::${AWS::AccountId}:root" Resource: - !Sub 'arn:${AWS::Partition}:s3:::${TestBucket}/' Sid: AllowRead - Action: - 's3:CreateBucket' - 's3:PutBucketAcl' Effect: Allow Principal: '' # AWS: # - !Sub "arn:aws:iam::${AWS::AccountId}:root" Resource: - !Sub 'arn:${AWS::Partition}:s3:::${TestBucket}' Sid: AllowPermissions
No, that's not how I asked to add. I mentioned that if you are creating clodformation stack then your role should have those two policies or if cloudformation role is attached to stack, then cloudformation role should have access to create s3 bucket and put acl and bucket policy to the bucket.
Add following policy to IAM role or cloudformation role not in bucket policy permissions. You are getting access denied while creating bucketpolicy or bucket acl or bucket itself.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*", "s3:CreateBucket", "s3:PutBucketPolicy", "s3:PutBucketAcl" ], "Resource": "*" } ] }
Once you attach this permission as policy to your IAM role/cloudformation role, you should be able to create bucket, bucket policy and ACL.
Also, remove complete block of "Sid: AllowRead" as bucket policy would allow/deny object level permissions not bucket level permissions so remove bucket level permissions such as 's3:CreateBucket' and 's3:PutBucketAcl' from bucket policy in your cloudformation template.
Let me know how it goes, happy to help.
Thanks a lot for your prompt response. Everything works fine, if I just remove the AccessControl: AuthenticatedRead. I don't have to add any other policy or role. Only when I have this property, I run into problems.
Yes, that's because, your IAM user/role or cloudofrmation role doesn't have permission to put bucket ACLs. Once you add that permission to your role or if cloudformation role is being used then to cloudformation role, this error would go away too.
If this answers your question, please accept the answer for better community experience.
As mentioned earlier, I tried adding that in the same SAM template, but it didn't work.
Relevant content
- asked 9 months ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Can you please add your CFN template here as well.