permissions required to copy S3 file through console?

Question

I am trying to rename an object in S3 through the AWS Console.

I have a role to which I attached two policies.

A "read" permission

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetAccelerateConfiguration",
                "s3:GetAnalyticsConfiguration",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketRequestPayment",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetInventoryConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetMetricsConfiguration",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectTorrent",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionTorrent",
                "s3:GetReplicationConfiguration",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::bfe-dp-test3-pos-lz",
                "arn:aws:s3:::bfe-dp-test3-pos-lz/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

And a "write" set of permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteBucketWebsite",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetBucketLocation",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:ListBucket",
                "s3:PutAccelerateConfiguration",
                "s3:PutAnalyticsConfiguration",
                "s3:PutBucketCORS",
                "s3:PutBucketLogging",
                "s3:PutBucketNotification",
                "s3:PutBucketRequestPayment",
                "s3:PutBucketVersioning",
                "s3:PutBucketWebsite",
                "s3:PutEncryptionConfiguration",
                "s3:PutInventoryConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutMetricsConfiguration",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutReplicationConfiguration",
                "s3:ReplicateDelete",
                "s3:ReplicateObject",
                "s3:RestoreObject"
            ],
            "Resource": [
                "arn:aws:s3:::bfe-dp-test3-pos-lz",
                "arn:aws:s3:::bfe-dp-test3-pos-lz/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

Yet, when I try to rename a file (object) through the AWS Console, I get a failed error message without details...

Any idea which additional permission might be missing?

You said attached to the role, have you attached the permissions to your IAM user? — Chris Williams, Jul 06 '20 at 12:04
Thats fine, its all experiences. Always worth checking KMS configuration for services nowadays. Its very easy in some services to enable it :) — Chris Williams, Jul 06 '20 at 13:02

Marcin · Answer 1 · 2020-07-06T12:53:50.417

1

I tried to replicate the issue with my own bucket and I found no issues with your two policies.

My verification process:

Create two managed policies: one read and one write as you described.
Create an IAM role containing the two policies. The trust policy was my sandbox account arn:aws:iam::xxxx:root
Use console to Switch Role in order to assume the role created in step 2.
While being in the assumed role, I tried renaming an object in the bucket and found no issues. I also could upload objects to the bucket.

Thus it seems to me that there is something else happening. Maybe you have something wrong with other policies in the role? Or bucket has some policies deny some actions? Are as explained in the comments, extra KMS permissions are required for the role if the objects are encrypted.

edited Jul 06 '20 at 12:53

answered Jul 06 '20 at 12:44

Marcin

215,873
14
235
294

I need to double check but it would appear my problem was due to encryption on the buckets. I need to add { "Sid": "kmsAccess", "Effect": "Allow", "Action": [ "kms:List*", "kms:*" ], "Resource": "*" }, – Eric Mamet Jul 06 '20 at 12:52
@EricMamet Makes sense. I will update the question to add KMS under " something else happening" :-) – Marcin Jul 06 '20 at 12:53

score 1 · Answer 2 · answered Jul 06 '20 at 12:55

In my particular case above, I was missing access to Encryption!

Had to add this to my "read" policy

            {
                "Sid": "kmsAccess",
                "Effect": "Allow",
                "Action": [
                    "kms:List*",
                    "kms:*"
                ],
                "Resource": "*"
            },

Thanks for your help

permissions required to copy S3 file through console?

2 Answers2

Linked