13

I have a lambda function making a s3 HeadObject call. Even though there has been a custom policy made for this lambda function, I keep getting an 403 error whenever this HeadObject call is made. There is specifically;

An error occurred (403) when calling the HeadObject operation: Forbidden

My policy very clearly allows GetObject calls for the bucket in question. Not sure what the problem is. I have triple check that it all lines up. The line in question is:

    s3 = boto3.client('s3')
    local_file_path = '/tmp/' + key_name.split('/')[-1] + '_REMOTE.json'
    response = s3.head_object(Bucket=environ['OUTPUT_BUCKET'], Key=OUTPUT_FILE_NAME)

Let me know if I can provide more info to help

Improve this question
3
  • and the file exists ? Commented Sep 26, 2018 at 0:00
  • @b.b3rn4rd the file doesn't exist yet, but does that mean it will return a error? For context I'm implementing this file given by amazon github.com/awslabs/aws-waf-security-automations/blob/master/… Commented Sep 26, 2018 at 0:09
  • yeah mate that's expected Commented Sep 26, 2018 at 0:12

4 Answers 4

Reset to default
21

Since you said the file is missing its an expected behaviour if you're missing s3:ListBucket permissions

You need the s3:GetObject permission for this operation. For more information, go to Specifying Permissions in a Policy in the Amazon Simple Storage Service Developer Guide. If the object you request does not exist, the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission.

If you have the s3:ListBucket permission on the bucket, Amazon S3 will return a HTTP status code 404 ("no such key") error.

If you don’t have the s3:ListBucket permission, Amazon S3 will return a HTTP status code 403 ("access denied") error.

Link to the doco

There is also a "different" eventual consistency behaviour for doing HEAD before uploading the object

Amazon S3 Data Consistency Model Amazon S3 provides read-after-write consistency for PUTS of new objects in your S3 bucket in all regions with one caveat. The caveat is that if you make a HEAD or GET request to the key name (to find if the object exists) before creating the object, Amazon S3 provides eventual consistency for read-after-write.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Okay I'll add that permission and give it another try. Thanks!
I'm not sure this was the solution. I just got it to run when I created everything in my test environment. For some reason it only works half the time and I'm not understanding why.
I'm thinking it might be a regional thing? My test environment succeeded in us-west-1, but I'm having problems in us-east-1. Not sure why that would matter though.
I was essentially chasing a red herring on this issue. You were correct in that it was an expected error. I was incorrectly associating it with errors that cloudwatch was reporting to me.
7

I found the solution on this link, so all the credit goes to the author.

Basically you might need to check you have the right permissions ( s3:GetObject and s3:ListBucket at least ) for the operation and the resource expression matches the ARN plus a path e.g this -> "Resource":"arn:aws:s3:::BUCKET_NAME/*" rather than this -> "Resource":"arn:aws:s3:::BUCKET_NAME".

Improve this answer

Comments

1

I have just encountered this issue for keys with square brackets (e.g [x][y]abcd.ext).
Upon renaming the keys, everything proceeded to work correctly - 403 error resolved.

That was an incredibly non-intuitive solution.

Improve this answer

Comments

0

s3:ListBucket is a bucket specific permission so iamInlinePolicies should be like this

    Action:
      - s3:ListBucket
      - s3:PutObject
      - s3:GetObject
      - s3:DeleteObject
    Resource: 'arn:aws:s3:::BUCKET_NAME/*'
  - Effect: Allow
    Action:
      - s3:ListBucket
    Resource: 'arn:aws:s3:::BUCKET_NAME'

adding resource like this arn:aws:s3:::BUCKET_NAME/* will provide you to perform operation inside the bucket and for ListBucket, resource are only the bucket arn:aws:s3:::BUCKET_NAME

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.