9

I created a new bucket on AWS S3 from the web wizard. I was logged in as root user

I am attempting to add a Bucket policy as follows

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "AddPerm",
        "Effect": "Allow",
        "Principal": "*",
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::<my-bucket-name-is-here>/*"
        ]
    }]
}

I get permission denied in both the web editor and the CLI

Web tool aws admin panel error modal

CLI An error occurred (AccessDenied) when calling the PutBucketPolicy operation: Access Denied

In the IAM settings, the root user has full access

    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]

I added

        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }

I also tried adding

        {
            "Sid": "ModifyBucketPolicy",
            "Action": [
                "s3:GetBucketPolicy",
                "s3:PutBucketPolicy"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::<MY-BUCKET-NAME>*"
        },

I still don't have permissions

auerbachb
  • 857
  • 11
  • 25
  • Can you clarify what do you want to achieve? This is invalid bucket policy anyway, so not sure what is your aim. – Marcin Nov 09 '20 at 02:52
  • 2
    Not sure if it is the cause, but did you turn off S3 Block Public Access, so that it allows a new Bucket Policy? – John Rotenstein Nov 09 '20 at 20:51
  • 1
    @JohnRotenstein, this is probably the case. I am testing now. However, why is "Block Public Access" blocking an authorized user from making updates? – auerbachb Nov 10 '20 at 21:02
  • 1
    The error says `PutBucketPolicy` -- that is one of the actions affected by S3 Block Public Access. – John Rotenstein Nov 10 '20 at 21:05
  • @JohnRotenstein this is the problem. Thank you! I guess this is necessary to prevent conflicts between the bucket policy which can control access and these public access controls in the web UI. I wish this had been clearer. – auerbachb Nov 10 '20 at 22:08

1 Answers1

17

Thanks to @JohnRotenstein I see that because I accepted the default "Block All Public Access" from AWS I was unable to edit the bucket policy. This makes sense, since the bucket policy can also control access and could thus conflict.

However, the error message is confusing since it makes no mention of the fact that it is the Block public access (bucket settings) that prevented updating. The error message stating access denied / you don't have permissions made me think it was the IAM settings on my user that were preventing me from modifying the resource.

auerbachb
  • 857
  • 11
  • 25