Why am I getting Access Denied errors on ListObjects or ListObjectsV2 actions when I run a sync command on my Amazon S3 bucket?

Last updated: 2020-05-29

I'm running the aws s3 sync command to copy directories and prefixes on my local system to an Amazon Simple Storage Service (Amazon S3) bucket, or from one bucket to another bucket. However, I'm getting Access Denied errors on ListObjects or ListObjectsV2 actions during the operation. How can I fix this?

Resolution

Verify that you have the permission for s3:ListBucket on the Amazon S3 buckets that you're copying objects to or from. You must have this permission to perform ListObjects or ListObjectsV2 actions.

Note: s3:ListBucket is the name of the permission that allows a user to list the objects in a bucket. ListObjects or ListObjectsV2 is the name of the API call that lists the objects in a bucket.

If your AWS Identity and Access Management (IAM) user or role belongs to the same AWS account as the bucket, then check whether your IAM policy or the bucket policy allow you to use the s3:ListBucket action. If you belong to the same account, then you don't need both the IAM policy and bucket policy to allow s3:ListBucket—you need only one of them to allow the action.

Important: If either the IAM policy or the bucket policy already allow the s3:ListBucket action, then check the other policy for any statements that explicitly deny the action. An explicit deny statement overrides an allow statement.

If either your IAM user or role belong to a different account than the S3 bucket, then you must have permission to s3:ListBucket on both your IAM policy and the bucket policy.

The following is an example IAM policy that grants access to s3:ListBucket:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Stmt1546506260896",
    "Action": "s3:ListBucket",
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET"
  }]
}

The following is an example bucket policy that grants the user arn:aws:iam::123456789012:user/testuser access to s3:ListBucket:

{
  "Id": "Policy1546414473940",
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Stmt1546414471931",
    "Action": "s3:ListBucket",
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET",
    "Principal": {
      "AWS": [
        "arn:aws:iam::123456789012:user/testuser"
      ]
    }
  }]
}

Did this article help you?

Anything we could improve?


Need more help?