Why am I getting an Access Denied error for ListObjectsV2 when I run the sync command on my Amazon S3 bucket?

Last updated: 2021-03-26

I'm running the aws s3 sync command to copy objects to or from an Amazon Simple Storage Service (Amazon S3) bucket. However, I'm getting an Access Denied error when I call the ListObjectsV2 operation. How do I resolve this?

Short description

When you run the aws s3 sync command, Amazon S3 issues the following API calls: ListObjectsV2, CopyObject, GetObject, and PutObject.

More specifically, the following happens:

1.    Amazon S3 lists the source and destination to check if the object exists.

2.    Amazon S3 then performs the following API calls:

CopyObject call for a bucket to bucket operation
GetObject for a bucket to local operation
PutObject for a local to bucket operation

Note: This article assumes that the GetObject and PutObject calls are already granted to the AWS Identity Access Management (IAM) user or role. This article addresses how to resolve the Access Denied error caused by improper ListBuckets permissions.

Resolution

Verify that you have the permission for s3:ListBucket on the Amazon S3 buckets that you're copying objects to or from. You must have this permission to perform  ListObjectsV2 actions.

Note: s3:ListBucket is the name of the permission that allows a user to list the objects in a bucket. ListObjectsV2 is the name of the API call that lists the objects in a bucket.

If your IAM user or role belong to another AWS account, then check whether your IAM and bucket policies permit the s3:ListBucket action. You must have permission to s3:ListBucket on both your IAM policy and bucket policy.

If your user or role belongs to the bucket owner's account, then you don't need both the IAM and bucket policies to allow s3:ListBucket. You need only one of them to allow the action.

Important: If either the IAM policy or the bucket policy already allow the s3:ListBucket action, then check the other policy for any statements that explicitly deny the action. An explicit deny statement overrides an allow statement.

The following is an example IAM policy that grants access to s3:ListBucket:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Stmt1546506260896",
    "Action": "s3:ListBucket",
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET"
  }]
}

The following is an example bucket policy that grants the user arn:aws:iam::123456789012:user/testuser access to s3:ListBucket:

{
  "Id": "Policy1546414473940",
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Stmt1546414471931",
    "Action": "s3:ListBucket",
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET",
    "Principal": {
      "AWS": [
        "arn:aws:iam::123456789012:user/testuser"
      ]
    }
  }]
}