Aws-sdk-js: Access Denied with putObject with ACL

Also, confirmed version: [email protected]

I'm unable to reproduce on a bucket I own:

$ node test
--- File Cached
{ ETag: '"59d412f99c03008379c888cc1e1a25e5"',
  RequestId: 'D2AE6459DED3DFD1' }

Just curious: are you trying to write from an IAM user rather than the master account?

@lsegal : Yes, it is an AMI user. Are there special setups for those users? I switched to my Root credentials, and that works. I'd really like to not have such open permissions though.

@nodeGarden Understood, I just wanted to confirm the root issue. Given your feedback, this looks like it is not an issue with the SDK. As for how to do this with an IAM user, that kind of permission question would be best asked on the Amazon S3 forums, but my general guess would be that you have to explicitly grant upload permissions for the IAM user. The authenticated-read canned ACL is documented to only provide write access to the "Owner", but I'm not sure if that is relevant.

Thanks. I had thought the ACL was the setting for _after_ it was uploaded. I'll check the other forum for something on this.

@nodeGarden it should be. Are you perhaps writing to an existing object?

@lsegal I am pushing a completely new object. I tested on an existing just to be sure and get the same access denied.

@nodeGarden Did you find out what the problem was with S3? I seem to have the same trouble setting the the x-amz-acl header to authenticated-read (via plain JavaScript XHR).

@thetable , Unfortunately no. I have just been using the Master account (very much un-ideal though)

Hmm.. why is this closed? I'm having this issue too and it doesn't seem to be resolved

Ah nvm.. I added all permissions and it worked. Did not isolate which permission was the culprit however

I have the same problem using aws sdk for node.js. 'public-read' ACL doesn't work. other ACL work.

same here

@chollier I would suggest re-verifying your permissions. In all of the above cases there was an environment / configuration error causing these permission errors, not the SDK. We've yet to reproduce any actual issue in the SDK, and the SDK is not actually passing any extra permission information besides "public-read" (if that's what you passed through).

Indeed my bad, I was apply the policy to the wrong role..

—
Sent from Mailbox

On Tue, Jun 9, 2015 at 6:42 PM, Loren Segal [email protected]
wrote:

@chollier I would suggest re-verifying your permissions. In all of the above cases there was an environment / configuration error causing these permission errors, not the SDK. We've yet to reproduce any actual issue in the SDK, and the SDK is not actually passing any extra permission information besides "public-read" (if that's what you passed through).

Reply to this email directly or view it on GitHub:
https://github.com/aws/aws-sdk-js/issues/256#issuecomment-110554329

Hey, making a quick post in case anybody was in the same boat as me and came across this this thread.

Going to expand a bit on chollier. The policy on the s3 bucket I was trying to putObject into didn't allow the current IAM role/user to set the ACL. The solution is to update the s3 bucket's policy's Principal to include the IAM role/user ARN. See https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-1

I was running into this problem, where node-lambda (a tool for testing/deploying lambda functions locally) was able to set ACLs on objects, while the same code deployed to AWS generated "Access Denied" errors.

If anyone is having this problem with lambda functions, be sure to go to IAM role management and edit the policy for the Lambda role (I think the default role is lambda_s3_exec_role). The policy includes "s3:getObject" and "s3:PutObject", but should also include "s3:PutObjectAcl" if you need to set access control for files.

node-lambda uses an .env file which contains a key/secret, which in my case gave me more permissions locally than lambda_s3_exec_role had.

I had the same issue in my Node runtime V4.3, the S3 bucket is in different IAM Role and My Lambda is in my IAM role created by Admin of AWS account. I used AWS-SDK apiVersion '2006-03-01'. I checked all my polices it looks fine i had all the access, then i used my accesskey and secret key in aws.S3({}) object so that it can able to read the bucket and file using my keys.

http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html in this find Constructing a S3 object you will get the details.

I hope this may help someone..

Thanks @okdewit !! I just worked perfectly!

@okdewit I almost punched myself in the face because of this. Thanks
aws and their clusterf* of policies/permissions

what was the missing permission anyone? i have amazon S3 Full Access and am getting this error.

i also tried adding this policy, no use:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

I'm also still experiencing this issue when using specific ACLs.

I don't get an Access Denied Error when not specifying an ACL or using the bucket-owner-full-control ACL.
I do get an Access Denied Error when using the authorised-read ACL.

Are there different permissions required for specific ACLs?

EDIT:
Fixed it thanks to this SO post: https://stackoverflow.com/questions/36272286/getting-access-denied-when-calling-the-putobject-operation-with-bucket-level-per

Even if your role has s3:PutObjectAcl permissions for the bucket, the bucket's public access configuration can cause a permissions error when putting certain ACLs.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.