S3: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

Lakshmi picture Lakshmi · May 1, 2017 · Viewed 13.9k times · Source

After configure AWSCLI using command aws configure . I'm trying to download files from S3 bucket to local folder test, using following command

aws s3 sync s3://sourceBucket  ./test --delete

but it's throwing following error message

download failed: s3://sourceBucket/jobs/Test/1/slider-test-0.0.1-SNAPSHOT.war to test/jobs/Test/1/slider-test-0.0.1-SNAPSHOT.war An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
download failed: s3://sourceBucket/jobs/Test/2/slider-test-0.0.1-SNAPSHOT.war to test/jobs/Test/2/slider-test-0.0.1-SNAPSHOT.war An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

sourceBucket had following permissions

sourceBucket permissions Image - clickhere

When I check List of objects in sourceBucket using this command

aws s3api list-objects --bucket sourceBucket --query 'Contents[].{Key: Key, Size: Size}'

following is the output of it

[
    {
        "Key": "jobs/Test/1/slider-test-0.0.1-SNAPSHOT.war", 
        "Size": 2546325
    },
    {
        "Key": "jobs/Test/2/slider-test-0.0.1-SNAPSHOT.war", 
        "Size": 3571598
    }
]

could some one let me know how to solve this, I need to download the all objects from s3 sourceBucket to local folder test.

Thank you.

Answer

Chris McLaughlin picture Chris McLaughlin · Oct 1, 2018

If you use KMS to encrypt your S3 files, also make sure the IAM user / role has access to use the appropriate key to decrypt the file. In your KMS dashboard, click on 'Customer Managed Keys' then click on the specific key used for the S3 bucket. You'll then need to add the appropriate accounts / roles to the key policy. For more see: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam