11

After configure AWSCLI using command aws configure . I'm trying to download files from S3 bucket to local folder test, using following command

aws s3 sync s3://sourceBucket  ./test --delete

but it's throwing following error message

download failed: s3://sourceBucket/jobs/Test/1/slider-test-0.0.1-SNAPSHOT.war to test/jobs/Test/1/slider-test-0.0.1-SNAPSHOT.war An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
download failed: s3://sourceBucket/jobs/Test/2/slider-test-0.0.1-SNAPSHOT.war to test/jobs/Test/2/slider-test-0.0.1-SNAPSHOT.war An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

sourceBucket had following permissions

sourceBucket permissions Image - clickhere

When I check List of objects in sourceBucket using this command

aws s3api list-objects --bucket sourceBucket --query 'Contents[].{Key: Key, Size: Size}'

following is the output of it

[
    {
        "Key": "jobs/Test/1/slider-test-0.0.1-SNAPSHOT.war", 
        "Size": 2546325
    },
    {
        "Key": "jobs/Test/2/slider-test-0.0.1-SNAPSHOT.war", 
        "Size": 3571598
    }
]

could some one let me know how to solve this, I need to download the all objects from s3 sourceBucket to local folder test.

Thank you.

Lakshmi
  • 125
  • 1
  • 1
  • 6
  • You also have a bucket policy. Any applicable `deny` in there would override the checkboxes. – Michael - sqlbot May 01 '17 at 02:37
  • it has no bucket policy. – Lakshmi May 01 '17 at 02:50
  • Click "edit bucket policy" to be certain? – Michael - sqlbot May 01 '17 at 09:15
  • I didn't add any policy to bucket, incase if i've to add could you tell me what policy to add, so that it can retrieve all the data from sourceBucket to local folder test. – Lakshmi May 01 '17 at 15:03
  • http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html and http://docs.aws.amazon.com/AmazonS3/latest/dev/walkthrough1.html – kosa May 01 '17 at 15:20
  • `{ "Version": "2008-10-17", "Id": "Policy1357935677554", "Statement": [ { "Sid": "Stmt135793564721", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::sourceBucket" } ] }` I used this policy earlier, still showing the same error. – Lakshmi May 01 '17 at 15:27
  • You don't have the permissions to do it. If you are using IAM role (if you are running this command in an EC2 instance) or an IAM User (if you are running this command in your laptop), enable the following policy: `s3:GetObject`. Once updated, give it a few seconds and try again. The resource should be your bucket (for added security). The problem here is not the bucket policy but your IAM permissions because you are using aws cli. – krishna_mee2004 Jun 27 '17 at 14:31
  • Were you able to fix this problem? – Vipin Verma Feb 18 '19 at 00:13

1 Answers1

18

If you use KMS to encrypt your S3 files, also make sure the IAM user / role has access to use the appropriate key to decrypt the file. In your KMS dashboard, click on 'Customer Managed Keys' then click on the specific key used for the S3 bucket. You'll then need to add the appropriate accounts / roles to the key policy. For more see: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam

Chris McLaughlin
  • 330
  • 2
  • 8
  • 2
    Your answer helped a lot! I was stuck looking at S3 permission and forgot to check kms permissions. – barakbd Aug 22 '19 at 17:35
  • Yep this is what got me -- going to use AWS managed KMS keys in the future. – Merlin Jan 26 '20 at 14:19
  • 1
    Can't find 'Encryption Keys' in the IAM dashboard – Raj Aug 04 '20 at 07:54
  • @LeninRajRajasekaran They moved this option to the KMS console. https://console.aws.amazon.com/kms/ From there you can view your 'customer managed keys' and then update 'key users' as appropriate. – Chris McLaughlin Nov 30 '20 at 00:39