I can access my Amazon Simple Storage Service (Amazon S3) resources when I use the AWS Command Line Interface (AWS CLI). But, I get an Access Denied error when I use an AWS SDK. How can I fix this?
Resolution
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Verify your AWS CLI and the AWS SDK credentials
First, check that the AWS CLI and the AWS SDK that you're using are configured with the same credentials. To do this, follow these steps:
To get the credentials configured on AWS CLI, run this command:
aws iam list-access-keys
If you're using an AWS Identity and Access Management (IAM) role associated with the AWS CLI, run this command to get the role:
aws sts get-caller-identity
To get the credentials configured on the AWS SDK that you're using, run a GetCallerIdentity call using your AWS Security Token Service (AWS STS) client. For example, if you're using AWS SDK for Python (Boto3), run get_caller_identity.
If the AWS CLI and the AWS SDK use different credentials, then use the AWS SDK with the credentials that are stored on the AWS CLI.
Troubleshoot AWS CLI and SDK requests to Amazon S3
If the credentials used by the CLI and the AWS SDK are the same, then continue to troubleshoot by asking these questions:
- Are the CLI and SDK requests to S3 coming from the same source? That is, check if the requests are from the same Amazon Elastic Compute Cloud (Amazon EC2) instance.
- If requests are coming from the same source, is SDK using the intended credentials? For example, if you use AWS SDK for Python (Boto3), the SDK allows you to configure credentials using multiple methods. This means that Boto3 looks in multiple locations for credentials in a specific order. If any incorrect credentials are specified early on, these credentials are used. For more information about the order that Boto3 follows when looking for credentials, see Credentials on the Boto3 SDK website.
Check that your VPC endpoints allow requests to S3
If requests are sent from different sources, check whether the source using the SDK is sending requests through a VPC endpoint. Then, verify that the VPC endpoint allows the request that you're trying to send to Amazon S3.
The VPC endpoint policy in this example allows download and upload permissions for DOC-EXAMPLE-BUCKET. If you're using this VPC endpoint, then you're denied access to any other bucket.
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
]
}
]
}
If you don't find any issues in your credentials or source, then review some of the reasons why an Access Denied error might be returned by S3. For more information, see How do I troubleshoot 403 Access Denied errors from Amazon S3?
Related information
Identity and access management in Amazon S3