What permissions are required to run AWS TransferUtility?

Question

Using the AWS .NET SDK's TransferUtility, I can download files using an access key ID for myself, but when I set up a restricted user with read-only access, I get "The remote server returned an error: (403) Forbidden" errors.

I've set up the user to have the pre-configured arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
    ]
}

Which other permissions does it need? When a request fails, how can I see exactly why it failed?

score 0 · Accepted Answer · answered Oct 09 '19 at 15:46

This helped resolve the issue: https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/

S3 buckets may be encrypted using AWS KMS, if so then in addition to the AmazonS3ReadOnlyAccess policy, the user also needs to be granted these permissions:

"Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
]

What permissions are required to run AWS TransferUtility?

1 Answers1