I'm able to access Amazon S3 when I use the AWS CLI, but I get an Access Denied error when I use an AWS SDK. Why?

Last updated: 2021-01-27

I'm able to access my Amazon Simple Storage Service (Amazon S3) resources when I use the AWS Command Line Interface (AWS CLI). However, I get an Access Denied error when I use an AWS SDK. How can I fix this?

Short description

Follow these troubleshooting steps when you can access Amazon S3 using the AWS CLI but not an AWS SDK:

1.    Verify that the AWS CLI and the AWS SDK that you're using are configured with the same credentials.

2.    Check that the AWS SDK requests to Amazon S3 are allowed by a firewall, HTTP proxy, or Amazon Virtual Private Cloud (Amazon VPC) endpoint.

Resolution

Verify that the AWS CLI and the AWS SDK that you're using are configured with the same credentials

To get the credentials configured on AWS CLI, run this command:

aws iam list-access-keys

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

If you're using an AWS Identity and Access Management (IAM) role associated with the AWS CLI, run this command to get the role:

aws sts get-caller-identity

To get the credentials configured on the AWS SDK that you're using, run a GetCallerIdentity call using your AWS Security Token Service (AWS STS) client. For example, if you're using AWS SDK for Python (Boto3), run get_caller_identity.

If the AWS CLI and the AWS SDK use different credentials, try using the AWS SDK with the credentials that are stored on the AWS CLI.

Check that the AWS CLI or SDK requests to Amazon S3 are allowed by a firewall, HTTP proxy, or Amazon VPC endpoint

If the configured credentials are the same, check if the CLI or SDK requests to S3 are also coming from the same source. For example, check if the requests are from the same Amazon Elastic Compute Cloud (Amazon EC2) instance.

If requests are coming from the same source with the same credentials, make sure that the SDK is using the intended credentials. For example, if you're using AWS SDK for Python (Boto3), the SDK allows you to configure credentials using multiple methods. As a result, Boto3 will look in multiple locations for credentials, in a specific order.

Note: Because Boto3 searches for credentials in a specific order, if any incorrect credentials are specified earlier on, the incorrect credentials will be used. Therefore, make sure to specify the correct credentials in the locations that Boto3 checks first. For more information about the order in which Boto3 looks for credentials, see Credentials on the Boto3 SDK website.

If you confirmed that the correct credentials and permissions are used but you still receive an Access Denied error, troubleshoot the error. For more information about how to troubleshoot different root causes of the error, see How do I troubleshoot 403 Access Denied errors from Amazon S3?

If requests are sent from different sources, check whether the source using the SDK is sending requests through a firewall, HTTP proxy, or VPC endpoint. Then, verify that the firewall, HTTP proxy, or VPC endpoint allows the request that you're trying to send to Amazon S3.

For example, the following VPC endpoint policy allows download and upload permissions for DOC-EXAMPLE-BUCKET. If you're using this VPC endpoint, you're denied access to any other bucket.

{
    "Statement": [
        {
            "Sid": "Access-to-specific-bucket-only",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
  }

Did this article help?


Do you need billing or technical support?