S3:CopyObject - Access Denied

Grant S3:GetObjectTagging and S3:PutObjectTagging to copy files with tags

The CopyObject operation creates a copy of a file that is already stored in S3. When we tried using it, we consistently got the S3 error AccessDenied: Access Denied. Unfortunately, not the most descriptive error message. In any case, something was clearly wrong with the IAM permissions.

As CopyObject is a combination of S3:Get and S3:Put operations, we were convinced that we just needed the s3:GetObject and the s3:PutObject permissions. Yet, the CopyObject operation would still give the Access Denied error.

In the end, it turned out that S3 tags caused the issue. x-amz-tagging-directive / TaggingDirective is “COPY” by default, which is reasonable because we want to copy tags. Yet, that means that the permissions S3:GetObjectTagging and S3:PutObjectTagging are required to copy files with tags.

Putting everything together, we ended up with a policy like:

{
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:GetObjectTagging",
        "s3:PutObject",
        "s3:PutObjectTagging"
      ],
      "Effect": "Allow",
      "Resource": [
         "arn:aws:s3:::my-bucket/*"
      ]
    },
    {
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-bucket"
      ]
    }
  ],
  "Version": "2012–10–17"
}

Happy coding!

Want to learn more? Have a look to our other articles.

Photo: Robert Anthony Provost