S3:CopyObject - Access Denied
Grant S3:GetObjectTagging and S3:PutObjectTagging to copy files with tags
The CopyObject operation creates a copy of a file that is already stored in S3. When we tried using it, we consistently got the S3 error AccessDenied: Access Denied
. Unfortunately, not the most descriptive error message. In any case, something was clearly wrong with the IAM permissions.
As CopyObject is a combination of S3:Get and S3:Put operations, we were convinced that we just needed the s3:GetObject
and the s3:PutObject
permissions. Yet, the CopyObject
operation would still give the Access Denied
error.
In the end, it turned out that S3 tags caused the issue. x-amz-tagging-directive
/ TaggingDirective
is “COPY” by default, which is reasonable because we want to copy tags. Yet, that means that the permissions S3:GetObjectTagging
and S3:PutObjectTagging
are required to copy files with tags.
Putting everything together, we ended up with a policy like:
{
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:PutObject",
"s3:PutObjectTagging"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
},
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket"
]
}
],
"Version": "2012–10–17"
}
Happy coding!
Want to learn more? Have a look to our other articles.
Photo: Robert Anthony Provost