Boto3 Upload file API as an IAM user is giving the error “An error occurred (AccessDenied) when calling the PutObject operation: Access Denied”

Question

I have a flask application that makes a boto3 upload file call to upload a file to an S3 bucket. I am making this call as an IAM user since only authenticated users can make a multipart upload.

Here is the part of the python code that uploads the file onto S3 bucket:

    s3_client = boto3.client('s3', aws_access_key_id=ACCESS_KEY, aws_secret_access_key=SECRET_KEY)

    response = s3_client.upload_file(file_name, bucket, object_name)

S3 bucket policy:

{
    "Version": "2012-10-17",
    "Id": "Policy*********",
    "Statement": [
        {
            "Sid": "Stmt*********",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12******756:user/<iam-user>"
            },
            "Action": [
                "s3:*",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:*Object"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>",
                "arn:aws:s3:::<bucketname>/*"
            ]
        }
    ]
}

IAM user policy:

I have assigned the following permissions to the IAM user along with AmazonS3FullAccess (AWS managed policy) -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetAccessPoint",
                "s3:PutAccountPublicAccessBlock",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:ListAccessPoints",
                "s3:ListJobs",
                "s3:CreateJob",
                "s3:PutObject"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::*/*"
        }
    ]
}

However, I am still seeing the error - "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied".

Any suggestions on how to fix this will be very helpful

EDIT: Adding the error and stack trace here:

Traceback (most recent call last):
  File "/Users/se/lib/python3.7/site-packages/boto3/s3/transfer.py", line 279, in upload_file
    future.result()
  File "/Users/se/lib/python3.7/site-packages/s3transfer/futures.py", line 106, in result
    return self._coordinator.result()
  File "/Users/se/lib/python3.7/site-packages/s3transfer/futures.py", line 265, in result
    raise self._exception
  File "/Users/se/lib/python3.7/site-packages/s3transfer/tasks.py", line 126, in __call__
    return self._execute_main(kwargs)
  File "/Users/se/lib/python3.7/site-packages/s3transfer/tasks.py", line 150, in _execute_main
    return_value = self._main(**kwargs)
  File "/Users/se/lib/python3.7/site-packages/s3transfer/upload.py", line 692, in _main
    client.put_object(Bucket=bucket, Key=key, Body=body, **extra_args)
  File "/Users/se/lib/python3.7/site-packages/botocore/client.py", line 276, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/se/lib/python3.7/site-packages/botocore/client.py", line 586, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "moveToS3.py", line 76, in <module>
    main()
  File "moveToS3.py", line 65, in main
    response = upload_file(file_name, bucket_name, object_name)
  File "moveToS3.py", line 39, in upload_file
    response = s3_client.upload_file(file_name, bucket, object_name)
  File "/Users/se/lib/python3.7/site-packages/boto3/s3/inject.py", line 131, in upload_file
    extra_args=ExtraArgs, callback=Callback)
  File "/Users/se/lib/python3.7/site-packages/boto3/s3/transfer.py", line 287, in upload_file
    filename, '/'.join([bucket, key]), e))
boto3.exceptions.S3UploadFailedError: Failed to upload output1.txt to <bucketname>/01-12-2020 06:54:36 output.txt: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

could you paste the error and stack trace log, this will help in identifying the issue — Anand Vidvat
Can you confirm that you are using the correct iam user credentials in your boto3. Your bucket policy should not matter if the user has administrator rights. — Marcin
The user does not have administrator rights, the user has AmazonS3FullAccess, and yes I confirmed that I have used the right IAM credentials — krr

Anand Vidvat Anand Vidvat · Accepted Answer · 2020-12-01T18:16:28

I see that, you are using upload_file function and passing file_name, bucket and object_key as arguments to this function.

according to error log , the value of bucket is <bucketname> and object_key is 01-12-2020 06:54:36 output.txt. I believe once you pass appropriate values, this should work for you

Error log which highlights the issue:

boto3.exceptions.S3UploadFailedError: Failed to upload output1.txt to <bucketname>/01-12-2020 06:54:36 output.txt: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

Boto3 Upload file API as an IAM user is giving the error “An error occurred (AccessDenied) when calling the PutObject operation: Access Denied”

1 Answers