Why do I receive an Access Denied error when I try to access Amazon S3 using an AWS SDK?

Last updated: 2022-06-15

I can access my Amazon Simple Storage Service (Amazon S3) resources when I use the AWS Command Line Interface (AWS CLI). But, I get an Access Denied error when I use an AWS SDK. How can I fix this?

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Verify your AWS CLI and the AWS SDK credentials

First, check that the AWS CLI and the AWS SDK that you're using are configured with the same credentials. To do this, follow these steps:

To get the credentials configured on AWS CLI, run this command:

aws iam list-access-keys

If you're using an AWS Identity and Access Management (IAM) role associated with the AWS CLI, run this command to get the role:

aws sts get-caller-identity

To get the credentials configured on the AWS SDK that you're using, run a GetCallerIdentity call using your AWS Security Token Service (AWS STS) client. For example, if you're using AWS SDK for Python (Boto3), run get_caller_identity.

If the AWS CLI and the AWS SDK use different credentials, then use the AWS SDK with the credentials that are stored on the AWS CLI.

Troubleshoot AWS CLI and SDK requests to Amazon S3

If the credentials used by the CLI and the AWS SDK are the same, then continue to troubleshoot by asking these questions:

  • Are the CLI and SDK requests to S3 coming from the same source? That is, check if the requests are from the same Amazon Elastic Compute Cloud (Amazon EC2) instance.
  • If requests are coming from the same source, is SDK using the intended credentials? For example, if you use AWS SDK for Python (Boto3), the SDK allows you to configure credentials using multiple methods. This means that Boto3 looks in multiple locations for credentials in a specific order. If any incorrect credentials are specified early on, these credentials are used. For more information about the order that Boto3 follows when looking for credentials, see Credentials on the Boto3 SDK website.

Check that your VPC endpoints allow requests to S3

If requests are sent from different sources, check whether the source using the SDK is sending requests through a VPC endpoint. Then, verify that the VPC endpoint allows the request that you're trying to send to Amazon S3.

The VPC endpoint policy in this example allows download and upload permissions for DOC-EXAMPLE-BUCKET. If you're using this VPC endpoint, then you're denied access to any other bucket.

{
  "Statement": [
    {
      "Sid": "Access-to-specific-bucket-only",
      "Principal": "*",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ]
    }
  ]
}

If you don't find any issues in your credentials or source, then review some of the reasons why an Access Denied error might be returned by S3. For more information, see How do I troubleshoot 403 Access Denied errors from Amazon S3?


Did this article help?


Do you need billing or technical support?