Aws-cli: aws s3 cp raises error 403 instead of 404 when key does not exist

You'll get a 403 whenever you don't have access to the bucket, so I'd double check that the credentials on the EC2 instance allow access to the S3 bucket (you can try the low level command: aws s3api head-object --bucket my-bucket --key my-not-existing-key). The CLI is directly returning what HTTP status code S3 returns to us.

Just tested this again and I do get a 403 where a 404 would be expected.

ubuntu@ip-10-2-5-112:~$ aws --version
aws-cli/1.9.15 Python/2.7.6 Linux/3.13.0-68-generic botocore/1.3.15
ubuntu@ip-10-2-5-112:~$ aws s3api head-object --bucket fun_stuff --key my-not-existing-key

A client error (403) occurred when calling the HeadObject operation: Forbidden
ubuntu@ip-10-2-5-112:~$ aws s3api head-object --bucket fun_stuff --key my-existing-key
{
    "AcceptRanges": "bytes",
    "ContentType": "binary/octet-stream",
    "LastModified": "Tue, 22 Dec 2015 14:06:17 GMT",
    "ContentLength": 2799,
    "ETag": "\"9526a481999bf5af31a358dbe68cbe4f\"",
    "Metadata": {}
}
ubuntu@ip-10-2-5-112:~$

The test was done on an instance with an IAM role policy of (non-relevant parts removed):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::fun_stuff/*",
...
            ]
        },
...

Repeating the test on my Mac gave the right response (404):

Orjans-MacBook-Pro:~ austvold$ aws --version
aws-cli/1.9.2 Python/2.7.10 Darwin/15.0.0 botocore/1.3.2
Orjans-MacBook-Pro:~ austvold$ aws s3api head-object --bucket fun_stuff --key my-not-existing-key

A client error (404) occurred when calling the HeadObject operation: Not Found
Orjans-MacBook-Pro:~ austvold$ aws s3api head-object --bucket fun_stuff --key my-existing-key
{
    "AcceptRanges": "bytes",
    "ContentType": "binary/octet-stream",
    "LastModified": "Tue, 22 Dec 2015 14:06:17 GMT",
    "ContentLength": 2799,
    "ETag": "\"9526a481999bf5af31a358dbe68cbe4f\"",
    "Metadata": {}
}
Orjans-MacBook-Pro:~ austvold$

To get the same error code you'll need to have the s3:ListBucket permission for the arn:aws:s3:::fun_stuff resource (you only have arn:aws:s3:::fun_stuff/*).

The 403/404 response comes directly from S3 and the CLI doesn't do any special processing of the http status code. From the S3 reference docs:

If you have the s3:ListBucket permission on the bucket, Amazon S3 will return a HTTP status code 404 ("no such key") error.
if you don’t have the s3:ListBucket permission, Amazon S3 will return a HTTP status code 403 ("access denied") error.

Let me know if you're still having issues.

Thanks for explaining the reason for this issue.

Just verified your solution and I now get the expected 404 Not Found error.

I also received the error "A client error (403) occurred when calling the HeadObject operation: Forbidden" when trying to do "aws s3 cp" but the cause was clock skew. My local machine was 4 hours off from the AWS servers. Running "aws s3 ls" generated the proper error message "An error occurred (RequestTimeTooSkewed) when calling the ListObjects operation: The difference between the request time and the current time is too large.".
aws-cli/1.11.6 Python/2.6.6 Linux/2.6.32-642.6.1.el6.x86_64 botocore/1.4.63

@martinthurn-LFT
Hello, how long it would make it return 403?

@wszgxa I think the signature expires within 15 minutes of when the signer thought the time was. So if signer is more than 15 minutes behind AWS, it should fail consistently.

@martinthurn-LFT - Thank you, I just got bit by this issue as a result of using Timecop (a PHP Port)

Hello all,
while Downloading CodeDeploy Agent from S3 facing Error,tried all above Solution,No Luck.
A client error (403) occurred when calling the HeadObject operation: Forbidden
Completed 1 part(s) with ... file(s) remaining
please Suggest any Solution.