Unexplainable AmazonS3Client getObject() 403 AccessDenied exception

Question

Using the java Amazon AWS SDK, I am getting an unexplainable 403 AccessDenied exception when calling the AmazonS3Client.getObject() method. What is odd here is that I am uploading the object with the same AmazonS3Client so the object resource owner should be the same.

    ClientConfiguration config = new ClientConfiguration();
    config.setProtocol(Protocol.HTTP); // TODO Change to HTTPS?
    AWSCredentials awsCredentials = new BasicAWSCredentials("myAccessKeyID","mySecretAccessKey");
    AmazonS3 amazonS3 = new AmazonS3Client(awsCredentials, config);
    amazonS3.setEndpoint(serviceInfo.getHost());
    S3ClientOptions options = new S3ClientOptions();
    options.setPathStyleAccess(true);
    amazonS3.setS3ClientOptions(options);

    amazonS3.putObject(“myBucket”, “keyVal”, file);
    amazonS3.getObject(“myBucket”, “keyVal”); //AccessDenied

Even if I specify an ACL with the putObject() call, I still get the AccessDenied exception.

Owner owner = amazonS3.getS3AccountOwner();
AccessControlList acl = new AccessControlList();
acl.grantPermission(new CanonicalGrantee(owner.getId()), Permission.Read);
amazonS3.putObject(new PutObjectRequest("mybucket", "myKey", f).withAccessControlList(acl));
amazonS3.getObject(“myBucket”, “keyVal”); //AccessDenied Still!!!

I’ve tested this by including an ACL with Grantee ALL_USERS to the amazonS3.putObject() call and this allows me to use the amazonS3.getObject() call okay without any exceptions so it seems like a permissions issue somewhere. But where?!

The Amazon docs specifically say that a resource owner has access to the resource: "By default, all Amazon S3 resources—buckets, objects, and related subresources (for example, lifecycle configuration and website configuration)—are private: only the resource owner, an AWS account that created it, can access the resource.”

Edit

I should have mentioned originally that I am using the RiakCS client to connect to S3. At the time of this edit, it seems to be an issue with RiakCS.

The resource owner is an AWS account, not an individual user within that AWS account; the user must still have permission to access the object, which is influenced by bucket policy and IAM user and group policies, so "same user" does not necessarily mean you could read what you wrote. Policies must be there to allow it. Show your relevant bucket and user policies, perhaps? Also, are you new to S3 and/or AWS or was this a working setup that has stopped working? — Michael - sqlbot, Jan 07 '16 at 11:47
Also, is the object you uploaded visible in the S3 console? Can you actually download it manually using the console'a download capability, and are you using the same IAM user to access the console and the API? — Michael - sqlbot, Jan 07 '16 at 11:50
Yes I am new to S3 and yes the object is visible using my S3 console Cyberduck and I CAN download the object through that. I should have mentioned this but I am using the Riak CS service so I have never explicitly created a user and AWS account. When calling `amazonS3.getBucketPolicy("myBucket")` it returns null. — McLovin, Jan 07 '16 at 15:47
Perhaps you are not using the account that owns the s3 bucket. Can you call `AmazonIdentityManagementClient.getUser()` and see if that id is different? — ataylor, Jan 07 '16 at 16:26
Buckets and Objects are orthogonal. So shouldn't I be able to access objects even if using an account that is different than the bucket's owner? — McLovin, Jan 07 '16 at 17:18
**"I should have mentioned this but I am using the Riak CS service"** ... um, yes, you should have, since that means *you're not actually using S3 at all,* as your question implies, but rather a different service that purports to be compatible... and it very well may be, but that probably changes the nature of the problem substantially. The question should be edited (rather heavily, I would suggest) to clarify what you're trying to do. — Michael - sqlbot, Jan 07 '16 at 22:35
I have the same problem with Riak CS 1.5.2, seems to be definitely a problem with Riak CS and its S3 implementation as it works when I connect to S3 instead of Riak CS. It shouldn't be a permission problem as when connecting to Riak CS I use the admin credentials. — stempler, Jan 21 '16 at 10:42

score 1 · Accepted Answer · answered Jan 22 '16 at 08:01

Most likely your Riak CS S3 endpoint either does not support or is not configured for AWS v4 signatures. GetObject seems to be special in that respect as it per default uses a v4 signature in the current SDK version.

What you can do is configure the client to use v2 signatures instead:

ClientConfiguration opts = new ClientConfiguration();
opts.setSignerOverride("S3SignerType");  // NOT "AWS3SignerType"
AmazonS3Client s3 = new AmazonS3Client(opts);

see discussion here: https://github.com/aws/aws-sdk-java/issues/372

score -2 · Answer 2 · answered Jan 07 '16 at 06:26

-2

In amazon S3 console if you navigate to your specific folder, you will find "permissions" collapsed menu under "properties" tab. You need to set grantee to "Everyone" and check the necessary boxs.

answered Jan 07 '16 at 06:26

Probal

90
12

I'm not at all confident that this is accurate. – Michael - sqlbot Jan 07 '16 at 11:40
I cannot make my object's public to everyone – McLovin Jan 07 '16 at 15:48

Unexplainable AmazonS3Client getObject() 403 AccessDenied exception

2 Answers2