I'm able to access Amazon S3 when I use the AWS CLI, but I get an Access Denied error when I use an AWS SDK. Why?

Last updated: 2019-04-03

I'm able to access my Amazon Simple Storage Service (Amazon S3) resources when I use the AWS Command Line Interface (AWS CLI). Why am I getting an Access Denied error when I try to access Amazon S3 using an AWS SDK?

Short Description

Follow these troubleshooting steps when you can access Amazon S3 using the AWS CLI but not an AWS SDK:

  1. Verify that the AWS CLI and the AWS SDK that you're using are configured with the same credentials.
  2. Check if the requests to Amazon S3 using the AWS SDK are allowed by a firewall, HTTP proxy, or Amazon Virtual Private Cloud (Amazon VPC) endpoint.

Resolution

Verify that the AWS CLI and the AWS SDK you're using are configured with the same credentials

To get the credentials configured on AWS CLI, run this command:

aws configure list

If you're using an AWS Identity and Access Management (IAM) role associated with the AWS CLI, run this command to get the role:

aws sts get-caller-identity

To get the credentials configured on the AWS SDK that you're using, run a GetCallerIdentity call using your AWS Security Token Service (STS) client. For example, if you're using AWS SDK for Python (Boto3), run get_caller_identity. For more information on providing credentials to Boto3, see Method Parameters.

If the AWS CLI and the AWS SDK are configured with different credentials, try using the AWS SDK with the credentials that are stored on the AWS CLI.

Check if the requests to Amazon S3 using the AWS SDK are allowed by a firewall, HTTP proxy, or Amazon VPC endpoint

If the configured credentials are the same, check if the requests to Amazon S3 through the AWS CLI and the AWS SDK are from the same source, such as the same Amazon Elastic Compute Cloud (Amazon EC2) instance.

If the requests are from different sources, check if the source that you're using with the AWS SDK is sending requests through a firewall, HTTP proxy, or an Amazon VPC endpoint. Then, verify that the firewall, HTTP proxy, or VPC endpoint allows the request that you're trying to send to Amazon S3.

For example, the following VPC endpoint policy allows access only to my_secure_bucket. If you're using this VPC endpoint, you're denied access to any other bucket.

{
    "Statement": [
        {
            "Sid": "Access-to-specific-bucket-only",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::awsexamplebucket",
                "arn:aws:s3:::awsexamplebucket/*"
            ]
        }
    ]
  }

Did this article help you?

Anything we could improve?


Need more help?