aws s3api put-bucket-website - PutBucketWebsite operation: Access Denied

0
votes

I'm trying to use this command to set the static website hosting:

aws s3api put-bucket-website --bucket XXXX --website-configuration file://assets/website.json

website.json

{
    "IndexDocument": {
        "Suffix": "index.html"
    },
    "ErrorDocument": {
        "Key": "index.html"
    }
}

bucket policy

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::XXXX/*"
        }
    ]
}

I'm getting the error:

An error occurred (AccessDenied) when calling the PutBucketWebsite operation: Access Denied

What should I change in the bucket policy?

2
amazon-web-servicesamazon-s3aws-cli
What is your IAM role looking like?alex067
@alex067 I have AdministratorAccess and AmazonS3FullAccessDmitry Grinko

2 Answers

1
votes

This PUT operation requires the S3:PutBucketWebsite permission:

Add bucket policy:

    aws s3api put-bucket-policy \
        --bucket XXXX \
        --policy file://s3-bucket-policy.json

s3-bucket-policy.json:

{
    "Version": "2008-10-17",
    "Statement": [
         {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::XXXX/*"
         },
         {
            "Effect": "Allow",
            "Principal": {
               "AWS": "*"
            },
            "Action": [
               "S3:PutBucketWebsite"
            ],
            "Resource": "arn:aws:s3:::XXXX"
         }
    ]
}

Set the static website hosting

aws s3api put-bucket-website \
    --bucket XXXX \
    --website-configuration file://website.json

website.json

{
    "IndexDocument": {
        "Suffix": "index.html"
    },
    "ErrorDocument": {
        "Key": "index.html"
    }
}
0
votes

Your bucket policy only allows you to perform a GET operation, but you want to do a PUT operation.

It looks like your IAM has Admin and full S3 access as you mentioned, but you don't have bucket level access for that specific bucket.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject
            ],
            "Resource": "arn:aws:s3:::XXXX/*"
        },
        {
             "Sid": "AllowPutBucket",
             "Effect": "Allow",
             "Action": [
                 "s3:*"
             ],
              "Resource": [
                 "arn:aws:s3:::bucketname",
                  "arn:aws:s3:::bucketname/*"
              ]
        }
    ]
}