I'm able to access Amazon S3 when I use the AWS CLI, but I get an Access Denied error when I use an AWS SDK. Why?

Last updated: 2020-10-22

I'm able to access my Amazon Simple Storage Service (Amazon S3) resources when I use the AWS Command Line Interface (AWS CLI), but I get an Access Denied error when I use an AWS SDK. How can I fix this?

Short description

Follow these troubleshooting steps when you can access Amazon S3 using the AWS CLI but not an AWS SDK:

  1. Verify that the AWS CLI and the AWS SDK that you're using are configured with the same credentials.
  2. Check if the AWS SDK requests to Amazon S3 are allowed by a firewall, HTTP proxy, or Amazon Virtual Private Cloud (Amazon VPC) endpoint.

Resolution

Verify that the AWS CLI and the AWS SDK that you're using are configured with the same credentials

To get the credentials configured on AWS CLI, run this command:

aws iam list-access-keys

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

If you're using an AWS Identity and Access Management (IAM) role associated with the AWS CLI, run this command to get the role:

aws sts get-caller-identity

To get the credentials configured on the AWS SDK that you're using, run a GetCallerIdentity call using your AWS Security Token Service (AWS STS) client. For example, if you're using AWS SDK for Python (Boto3), run get_caller_identity.

If the AWS CLI and the AWS SDK use different credentials, try using the AWS SDK with the credentials that are stored on the AWS CLI.

Check if the AWS SDK requests to Amazon S3 are allowed by a firewall, HTTP proxy, or Amazon VPC endpoint

If the configured credentials are the same, then check if the requests to Amazon S3 through the AWS CLI and the AWS SDK are from the same source. For example, check if the requests are from the same Amazon Elastic Compute Cloud (Amazon EC2) instance.

If the requests are from different sources, then check if the source using the AWS SDK is sending requests through a firewall, HTTP proxy, or a VPC endpoint. Then, verify that the firewall, HTTP proxy, or VPC endpoint allows the request that you're trying to send to Amazon S3.

For example, the following VPC endpoint policy allows download and upload permissions for DOC-EXAMPLE-BUCKET. If you're using this VPC endpoint, you're denied access to any other bucket.

{
    "Statement": [
        {
            "Sid": "Access-to-specific-bucket-only",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
  }

Did this article help?


Do you need billing or technical support?