问题
I'm doing multipart upload via aws cli console but getting this error;
A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied
Below is my policy, am I missing something in there?
Thanks.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::mybucket"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:CreateMultipartUpload",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::mybucket/*"
}
]
}
回答1:
The "s3:PutObject" handles the CreateMultipartUpload operation so I guess there is nothing like "s3:CreateMultipartUpload".
The thing you have to change in your s3 bucket ARN is like add also "Resource": "arn:aws:s3:::mybucket"
Final policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::mybucket"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
回答2:
If it's cross accounts access, check it is not related to ACL headers as mentioned here: https://stackoverflow.com/a/34055538/1736679 (more info in this issue thread: https://github.com/aws/aws-cli/issues/1674)
Also double check the environment / user from which you are running to see if there are no overriding Keys (AWS_ACCESS_KEY, etc) in /etc/environment or ~/.aws/credentials
来源:https://stackoverflow.com/questions/37630635/createmultipartupload-operation-aws-policy-items-needed