AWS S3 - Access denied when getting bucket location

Question

I have a bucket called "my-bucket" in account A and I'm trying to determine it's location from account B.

I have the following bucket policy

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "1",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::11122233344:root"
        },
        "Action": [
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
        "Sid": "2",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::11122233344:root"
        },
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Resource": "arn:aws:s3:::my-bucket"
    }
]}

I've also stumbled across this documentation which contains the same policy: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html

Now using account B, I can successfully execute the command aws s3 ls s3://my-bucket, however with aws s3api get-bucket-location --bucket my-bucket I get the access denied message.

The user in Account 2 needs an IAM user policy granting this permission against the foreign bucket. What you have done so far is to allow such a grant to be honored, if it exists. — Michael - sqlbot
@Michael-sqlbot, the user in account 2 has been allowed all s3 actions on any resource. — Blease

petrch petrch · Accepted Answer · 2019-03-16T09:43:01

According to the documentation: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETlocation.html

To use this implementation of the operation, you must be the bucket owner.

When in doubt always refer to the AWS API documentation it usually specifies the permission needed for the given action.

AWS S3 - Access denied when getting bucket location

1 Answers