amazon-web-services


AWS S3 Access Denied on delete


I have a bucket that I can write to with no problem. However, when I try to delete an object, I get an error ...
AccessDeniedException in NamespaceExceptionFactory.php line 91
Following the very basic example here, I came up with this command ...
$result = $s3->deleteObject(array(
'Bucket' => $bucket,
'Key' => $keyname
));
I have tried variations of this based upon other tutorials and questions I have found.
$result = $s3->deleteObject(array(
'Bucket' => $bucket,
'Key' => $keyname,
'Content-Type' => $contentType,
'Content-Length' => 0
));
But everything produces the same error. Any suggestions?
User may be able to create an object in a bucket doesn't necessarily imply that the same user can deleted the object that he/she may have created.
S3 permission can be granular at the resource level (bucket/prefix) where the action that your role can take could be one or many of the permissions (see: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html)
It looks like you are having s3:PutObject permission but not s3:DeleteObject.
Its quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes).Its quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes).
You can check if you really have access to the specific bucket actions, use the iam get-role-policy API to view the permissions you have for the role that you are using to try to delete. Here is an example:
$ aws iam get-role-policy --role-name <<your-role-name>> --policy-name <<your-policy-name>>
{
"RoleName": "myrolename,
"PolicyDocument": {
"Version": "yyyy-mm-dd",
"Statement": [
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:Get*",
"s3:List*",
"s3:ListBucket",
"s3:PutObject*"
],
"Resource": [
"arn:aws:s3:::bucket1/*",
"arn:aws:s3:::bucket2/*" ],
"Effect": "Allow",
"Sid": "yyyy"
}
]
},
"PolicyName": "mypolicyname"
}
Most likely in your case, you may not have the "s3:DeleteObject" action for that resource (bucket/prefix)

Related Links

Changing domain DNS from godaddy to amazon Route 53 not working
CodePipeline unable to locate SAM template yaml file
Does the SES email quota apply to verification mail by Amazon Cognito?
AWS Sending Notifications to a Lambda function in other account
AWS Lambda and Multipart Upload to/from S3
Using AWS Simple Directory for on-premise clients
Data Modeling with Amazon Cognito and DynamoDB
How to test API Gateway methods with custom authorizer and empty $context.authorizer.* variables?
AWS error while parsing .config YAML file in .ebextension
Does WireMock come out in deb file?
Why sudden spike in WriteIOPS on AWS RDS
AWS SES Suppression List
Common security group for vpc
Specifying delete stack order in cloudformation
Elastic Beanstalk : Start CeleryBeat only once
AWS CloudWatch Zero Queue Size For One Week alarm

Categories

HOME
amazon-web-services
xpath
flask
knockout.js
list
apple-push-notifications
slider
vsts-build
bing-search
mathematical-optimization
gentelella
navigation
clone
haxe
tup
siesta
jodatime
sonata
fresco
twisted
vmware-workstation
renderscript
angular2-highcharts
dashdb
fido-u2f
generator
qa
amazon-sns
managed-c++
web-config-transform
cellular-network
ipa
iwebbrowser2
ninject
opnet
epplus
sca
creation
bean-validation
keyboard-layout
redgate
ms-solver-foundation
aurelia-http-client
windows-store
imgur
get-event-store
oauth2-playground
opal-framework
pyttsx
oracle-bmcs
flume-twitter
music21
.net-micro-framework
brightscript
karabiner
entropy
solr-query-syntax
wikimapia
dtd
sesame
alertify
mifos
static-methods
openmrs
django-validation
chicagoboss
blank-line
jnlp
ngcordova
artisan
com0com
whitespace-language
incron
mod-auth-openidc
producer
iplimage
prism.js
stripe.net
xmi
principalcontext
cloo
facebook-game-groups
non-ascii-characters
hints
node.js-stream
mongo-jackson-mapper
chefspec
tfs-sdk
struts2-json-plugin
zend-pdf
image-formats
getopt-long
platform-independent
kolite
expression-web
drawimage
boost-foreach
net-use
rtd
mongrel2
chunking
jdownloader
odac
ppc
.net-client-profile
gui-designer
downloadfile
rootkit

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App