Develop Reference

Getting Access Denied when trying to upload to s3 Bucket

I am trying to upload an object to an AWS bucket using NodeJs (aws-sdk), but I am get access denied error.
The IAM user of which I am using accessKeyId and secretAccessKey also have been given access to the s3 bucket to which I am trying to upload.
Backend Code
const s3 = new AWS.S3({
accessKeyId: this.configService.get<string>('awsAccessKeyId'),
secretAccessKey: this.configService.get<string>('awsSecretAccessKey'),
params: {
Bucket: this.configService.get<string>('awsPublicBucketName'),
},
region: 'ap-south-1',
});
const uploadResult = await s3
.upload({
Bucket: this.configService.get<string>('awsPublicBucketName'),
Body: dataBuffer,
Key: `${folder}/${uuid()}-${filename}`,
})
.promise();
Bucket Policy
{
"Version": "2012-10-17",
"Id": "PolicyXXXXXXXXX",
"Statement": [
{
"Sid": "StmtXXXXXXXXXXXXXX",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::some-random-bucket"
},
{
"Sid": "StmtXXXXXXXXXXX",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXX:user/some-random-user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::some-random-bucket"
}
]
}

You have an explicit deny statement, denying anyone from doing anything S3-related on some-random-bucket.
This will override any allow statements in the policy, according to the official IAM policy evaluation logic.
You can do any of the following:
Remove the deny statement from the policy
Modify the deny statement & use NotPrincipal to exclude some-random-user from the deny statement
Modify the deny statement & use the aws:PrincipalArn condition key with the ArnNotEquals condition operator to exclude some-random-user from the deny statement i.e.
{
"Version": "2012-10-17",
"Id": "PolicyXXXXXXXXX",
"Statement": [
{
"Sid": "StmtXXXXXXXXXXXXXX",
"Effect": "Deny",
"Action": "s3:*",
"Principal": "*",
"Resource": "arn:aws:s3:::some-random-bucket",
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::XXXXXXXXXX:user/some-random-user"
}
}
},
{
"Sid": "StmtXXXXXXXXXXX",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXX:user/some-random-user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::some-random-bucket"
}
]
}

while enabling aws event bridge rule from aws im getting error as denied exception

i have added permission in my event bus as
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "allow_account_to_put_events",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::406342097594:root"
},
"Action": "events:PutEvents",
"Resource": "arn:aws:events:us-east-2:406342097594:event-bus/default"
}, {
"Sid": "allow_account_to_manage_rules_they_created",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::406342097594:root"
},
"Action": ["events:PutRule", "events:PutTargets", "events:DeleteRule",
"events:RemoveTargets", "events:DisableRule", "events:EnableRule",
"events:TagResource", "events:UntagResource", "events:DescribeRule",
"events:ListTargetsByRule", "events:ListTagsForResource"],
"Resource": "arn:aws:events:us-east-2:406342097594:rule/default",
"Condition": {
"StringEqualsIfExists": {
"events:creatorAccount": "406342097594"
}
}
}]
}
getting error as below
INFO AccessDeniedException: User: arn:aws:sts::406342097594:assumed-role/SDL-role-kz8ds7y3/SDL-Connector is not authorized to perform: events:EnableRule on resource: arn:aws:events:us-east-2:406342097594:rule/SDL-Connector because no identity-based policy allows the events:EnableRule action

In my role i added the inline policy and copied the AmazonEventBridgeFullAccess policy role json from https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-identity-based.html and it worked.

Creating an aws_api_gateway_account resource returns AccessDeniedException

In my terraform script I have the following resource -
resource "aws_api_gateway_account" "demo" {
cloudwatch_role_arn = var.apigw_cloudwatch_role_arn
}
In the Apply stage, I see the following error -
2020/09/21 20:20:48 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: Updating API Gateway Account failed: AccessDeniedException:
status code: 403, request id: abb0662e-ead2-4d95-b987-7d889088a5ef
Is there a specific permission that needs to be attached to the role in order to get rid of this error?

Ran into the same problem as #bdev03, took me 2 days to identify the missing permission is "iam:PassRole", be so good if terraform is able to point that out, hope this helps.

Since neither this thread (so far) nor the official documentation is doing a very good job at solving this problem... The minimal policies required for this action are:
{
"Sid": "AllowPassingTheRoleToApiGateway",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": ["apigateway.amazonaws.com"]
}
}
}
{
"Sid": "AllowAPIGatewayUpdate",
"Effect": "Allow",
"Action": [
"apigateway:UpdateRestApiPolicy",
"apigateway:PATCH",
"apigateway:GET"
],
"Resource": "*"
}

I haven't tested, but I believe the role needs what's shown below. See more context at the source: "To enable CloudWatch Logs" section at https://docs.aws.amazon.com/apigateway/latest/developerguide/stages.html
For common application scenarios, the IAM role could attach the
managed policy of AmazonAPIGatewayPushToCloudWatchLogs, which contains
the following access policy statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
}
] }
The IAM role must also contain the following trust relationship
statement:
{ "Version": "2012-10-17", "Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
} ] }

Limiting access to AWS S3 with policy is not working as expected

I have a user group which we use for one of our environments in AWS.
We are trying to limit access of that group only to specific S3 bucket.
So, I created a policy as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::staging"
}
]
}
If I use AWS policy simulator, all shows as expected (at least looks like it).
But, through the app, that uses the API key of a user in this group I am getting access denied when I upload a file.
What am I doing wrong?
This gives the same result
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::staffila-staging",
"arn:aws:s3:::staffila-staging/*"
]
}
]
}

Use this policy this will work.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::staging"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": ["arn:aws:s3:::staging/*"]
}
]
}

Can't GetObject but policy says I should be able to. (AWS S3)

I have the following policy on my bucket:
{
"Version": "2012-10-17",
"Id": "PolicyID",
"Statement": [
{
"Sid": "Download",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "Upload",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
And some file SomeFile.txt with no individual permissions and no owner. However, despite the policy, if I attempt to Get the object anonymously, I have no luck. I really don't know what to do about this. I suspect the lack of owner is the problem, but I'm truthfully lost.
Also, only objects uploaded through my python service suffer this issue. Those uploaded online are fine.