Why am I getting an Access Denied error for ListObjectsV2 when I run the sync command on my Amazon S3 bucket?

3 minute read
2

I'm running the aws s3 sync command to copy objects to or from an Amazon Simple Storage Service (Amazon S3) bucket. However, I'm getting an Access Denied error when I call the ListObjectsV2 operation. How do I resolve this?

Short description

When you run the aws s3 sync command, Amazon S3 issues the following API calls: ListObjectsV2, CopyObject, GetObject, and PutObject.

More specifically, the following happens:

1. Amazon S3 lists the source and destination to check whether the object exists.

2. Amazon S3 then performs the following API calls:

CopyObject call for a bucket to bucket operation
GetObject for a bucket to local operation
PutObject for a local to bucket operation

Note: This resolution assumes that the GetObject and PutObject calls are already granted to the AWS Identity Access Management (IAM) user or role. This resolution addresses how to resolve the Access Denied error caused by improper ListBucket permissions or using incorrect sync command syntax with Requester Pays.

Resolution

Configuring the IAM policy

Verify that you have the permission for s3:ListBucket on the Amazon S3 buckets that you're copying objects to or from. You must have this permission to perform ListObjectsV2 actions.

Note: s3:ListBucket is the name of the permission that allows a user to list the objects in a bucket. ListObjectsV2 is the name of the API call that lists the objects in a bucket.

If your IAM user or role belong to another AWS account, then check whether your IAM and bucket policies permit the s3:ListBucket action. You must have permission to s3:ListBucket on both your IAM policy and bucket policy.

If your user or role belongs to the bucket owner's account, then you don't need both the IAM and bucket policies to allow s3:ListBucket. You need only one of them to allow the action.

Important: If either the IAM policy or bucket policy already allow the s3:ListBucket action, then check the other policy for statements that explicitly deny the action. An explicit deny statement overrides an allow statement.

The following is an example IAM policy that grants access to s3:ListBucket:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Stmt1546506260896",
    "Action": "s3:ListBucket",
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET"
  }]
}

The following is an example bucket policy that grants the user arn:aws:iam::123456789012:user/testuser access to s3:ListBucket:

{
  "Id": "Policy1546414473940",
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Stmt1546414471931",
    "Action": "s3:ListBucket",
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET",
    "Principal": {
      "AWS": [
        "arn:aws:iam::123456789012:user/testuser"
      ]
    }
  }]
}

Using the sync command with Requester Pays

If your bucket belongs to another AWS account and has Requester Pays enabled, verify that your bucket policy and IAM permissions both grant ListObjectsV2 permissions. If the ListObjectsV2 permissions are properly granted, then check your sync command syntax. When using the sync command, you must include the --request-payer requester option. Otherwise, you receive an Access Denied error.

For example:

aws s3 sync ./ s3://requester-pays-bucket/ --request-payer requester

Related information

Bucket owner granting cross-account bucket permissions

Bucket policies and user policies

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago