aws-sdk-js: Access Denied with putObject with ACL

I’m having an issue with putObject, but only when trying to set the ACL. If I remove that line it works, but then signed urls say access denied. Are there specific permissions needed for this?

Application code (partial)

function uploadToS3(fileID, filenName) {
    var file = fs.readFileSync(fileID);

    var AWS = require('aws-sdk');
        AWS.config.region = 'us-east-1';
    var s3 = new AWS.S3({
            accessKeyId:     'ACCESS_KEY',
            secretAccessKey: 'SECRET_KEY'
        });

    var params = {
        Bucket: 'MY_BUCKET',
        Key: serviceID,
        Body: file,
        ContentDisposition: 'filename="'+fileName+'"',
        StorageClass: 'REDUCED_REDUNDANCY',
        ACL: 'authenticated-read',  /* this gives me access denied */
    };
    s3.putObject(params, function(err, data) {
        if (err) {
            console.log("--- [ERROR] - Caching Failed");
            console.log(err, err.stack); // an error occurred
        }
        else {
            console.log("--- File Cached");
            console.log(data);           // successful response
        }
    });

}

S3 Bucket Policyfile

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StmtXXXXXXX",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:ListBucket",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::my_bucket"
            ]
        }
    ]
}

I even gave it ALL permissions (as an additional policy), and still get access denied.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "StmtXXXXXXX",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::my_bucket"
      ]
    }
  ]
}

The Policy Simulator shows “allowed” for PutObject, GetObjectACL, PutObjectACL, in both policy files.

Node Error:

{ [AccessDenied: Access Denied]
  message: 'Access Denied',
  code: 'AccessDenied',
  time: Fri Mar 28 2014 15:27:58 GMT+0000 (UTC),
  statusCode: 403,
  retryable: false,
  _willRetry: false } 

'AccessDenied: Access Denied
    at Request.extractError (.../app_worker/node_modules/aws-sdk/lib/services/s3.js:240:35)
    at Request.callListeners (.../app_worker/node_modules/aws-sdk/lib/sequential_executor.js:114:20)
    at Request.callListeners (.../app_worker/node_modules/aws-sdk/lib/sequential_executor.js:115:16)
    at Request.emit (.../app_worker/node_modules/aws-sdk/lib/sequential_executor.js:81:10)
    at Request.emit (.../app_worker/node_modules/aws-sdk/lib/request.js:578:14)
    at Request.transition (.../app_worker/node_modules/aws-sdk/lib/request.js:12:12)
    at AcceptorStateMachine.runTo (.../app_worker/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at .../app_worker/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (.../app_worker/node_modules/aws-sdk/lib/request.js:28:9)
    at Request.<anonymous> (.../app_worker/node_modules/aws-sdk/lib/request.js:580:12)'

About this issue

  • Original URL
  • State: closed
  • Created 10 years ago
  • Comments: 23 (4 by maintainers)

Most upvoted comments

I was running into this problem, where node-lambda (a tool for testing/deploying lambda functions locally) was able to set ACLs on objects, while the same code deployed to AWS generated “Access Denied” errors.

If anyone is having this problem with lambda functions, be sure to go to IAM role management and edit the policy for the Lambda role (I think the default role is lambda_s3_exec_role). The policy includes “s3:getObject” and “s3:PutObject”, but should also include “s3:PutObjectAcl” if you need to set access control for files.

node-lambda uses an .env file which contains a key/secret, which in my case gave me more permissions locally than lambda_s3_exec_role had.

+92
okdewit on Aug 24, 2016

Hey, making a quick post in case anybody was in the same boat as me and came across this this thread.

Going to expand a bit on chollier. The policy on the s3 bucket I was trying to putObject into didn’t allow the current IAM role/user to set the ACL. The solution is to update the s3 bucket’s policy’s Principal to include the IAM role/user ARN. See https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-1

+10
bsherrill480 on Jun 29, 2016

@okdewit I almost punched myself in the face because of this. Thanks aws and their clusterf*** of policies/permissions

+4
lmj0011 on Mar 23, 2017

I had the same issue in my Node runtime V4.3, the S3 bucket is in different IAM Role and My Lambda is in my IAM role created by Admin of AWS account. I used AWS-SDK apiVersion ‘2006-03-01’. I checked all my polices it looks fine i had all the access, then i used my accesskey and secret key in aws.S3({}) object so that it can able to read the bucket and file using my keys.

http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html in this find Constructing a S3 object you will get the details.

I hope this may help someone…

+1
PrasanthJayaraman on Dec 1, 2016
Read more comments on GitHub
← aws-sdk-java-v2: versions 2.10.60 and above of sdk throw InternalServerError exception when using DynamoDB transactions
aws-sdk-js: Amazon S3 will no longer support path-style API requests →