发表新帖
发表新帖

AWS CLI S3 A client error (403) occurred when calling the HeadObject operation: Forbidden

前端 未结
关注
21 2013
不要未来只要你来
不要未来只要你来 2020-12-03 04:03

I\'m trying to setup a Amazon Linux AMI(ami-f0091d91) and have a script that runs a copy command to copy from a S3 bucket.

 aws --debug s3 cp s3://aws-codede
相关标签:
21条回答
  • 说谎
    2020-12-03 04:46

    I also experienced that behaviour. In my case I've found that if the IAM policy doesn't have access to read the object (s3:GetObject), the same error is raised.

    I agree with you that the error raised from aws console & cli is not really well explained and may cause confusion.

    0 讨论(0)
  • 生来不讨喜
    2020-12-03 04:46

    I had a lambda function doing the same, copy from bucket to bucket.

    The lambda had permissions to use the source bucket as trigger.

    Configuration tab

    But it also needs permissions to OPERATE with buckets.

    Permissions tab

    If s3 is not there, then you need to edit the Role used by the lambda and add it (see the s3FullAccess)

    0 讨论(0)
  • 傲寒
    2020-12-03 04:48

    I was getting the error A client error (403) occurred when calling the HeadObject operation: Forbidden for my aws cli copy command aws s3 cp s3://bucket/file file. I was using a IAM role which had full S3 access using an Inline Policy. 

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

    If I give it the full S3 access from the Managed Policies instead, then the command works. I think this must be a bug from Amazon, because the policies in both cases were exactly the same.

    0 讨论(0)
  • 青春惊慌失措
    2020-12-03 04:48

    When it comes to cross-account S3 access

    An IAM user policy will not over-ride the policy defined for the bucket in the foreign account.

    s3:GetObject must be allowed for accountA/user as well as on the accountB/bucket

    0 讨论(0)
  • 暗喜
    2020-12-03 04:49

    Trying to solve this problem myself, I discovered that there is no HeadBucket permission. It looks like there is, because that's what the error message tells you, but actually the HEAD operation requires the ListBucket permission. I also discovered that my IAM policy and my bucket policy were conflicting. Make sure you check both.

    0 讨论(0)
  • 傲寒
    2020-12-03 04:49

    Check your object owner if you copy the file from another aws account.

    In my case, I copy the file from another aws account without acl, so file's owner is the other aws account, it's mean the file belongs to origin account.

    To fix it, copy or sync s3 files with acl, example:

    aws s3 cp --acl bucket-owner-full-control s3://bucket1/key s3://bucket2/key
    0 讨论(0)
 看不清?
提交回复
热议问题