AWS S3 Access Denied on delete

Asked 7/3, 2017 at 20:54 Answered 22/6, 2023 at 12:41

amazon-web-services amazon-s3 aws-php-sdk

I have a bucket that I can write to with no problem. However, when I try to delete an object, I get an error ...

AccessDeniedException in NamespaceExceptionFactory.php line 91

Following the very basic example here, I came up with this command ...

$result = $s3->deleteObject(array(
                'Bucket' => $bucket,
                'Key'    => $keyname
            ));

I have tried variations of this based upon other tutorials and questions I have found.

$result = $s3->deleteObject(array(
                'Bucket' => $bucket,
                'Key'    => $keyname,
                'Content-Type'  => $contentType,
                'Content-Length' => 0
            ));

But everything produces the same error. Any suggestions?

Chandigarh answered 7/3, 2017 at 20:54 Comment(0)

It's quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes).

You can check if you really have access to the specific bucket actions, use the iam get-role-policy API to view the permissions you have for the role that you are using to try to delete. Here is an example:

$ aws iam get-role-policy --role-name <<your-role-name>> --policy-name <<your-policy-name>>

{
    "RoleName": "myrolename,
    "PolicyDocument": {
        "Version": "yyyy-mm-dd",
        "Statement": [
            {
                "Action": [
                    "s3:AbortMultipartUpload",
                    "s3:DeleteObject",
                    "s3:Get*",
                    "s3:List*",
                    "s3:ListBucket",
                    "s3:PutObject*"
                ],
                "Resource": [
                    "arn:aws:s3:::bucket1/*",
                    "arn:aws:s3:::bucket2/*"                ],
                "Effect": "Allow",
                "Sid": "yyyy"
            }
        ]
    },
    "PolicyName": "mypolicyname"
}

Most likely in your case, you may not have the "s3:DeleteObject" action for that resource (bucket/prefix)

Noah answered 8/3, 2017 at 14:48 Comment(1)

This fixed a problem I was having. Thanks! – Distracted 20/2, 2020 at 20:36

User may be able to create an object in a bucket doesn't necessarily imply that the same user can deleted the object that he/she may have created.

S3 permission can be granular at the resource level (bucket/prefix) where the action that your role can take could be one or many of the permissions (see: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html)

It looks like you are having s3:PutObject permission but not s3:DeleteObject.

Noah answered 7/3, 2017 at 22:27 Comment(4)

How can a user have read/ write permissions and not delete? The description on mouse over for this permissions says it includes delete. – Chandigarh 7/3, 2017 at 22:45

Its quite common to have write permission (a user that just writes the data to S3) and a seperate delete permission with another user (to avoid accidental deletes). – Noah 8/3, 2017 at 14:43

for serverless project you may add "s3:DeleteObject" into "provider: iamRoleStatements: Action" parameter in serverless.yml file – Aceous 14/3, 2018 at 13:15

completely forgot i didnt' added this on my config. thanks – Fiddlefaddle 12/2, 2019 at 1:12

In My case, i enable MFA access. According AWS when MFA is activated is, to write in bucket, you will need a root access_key. Doing this, solved my problem.

More details here: https://repost.aws/knowledge-center/s3-bucket-mfa-delete

Hightower answered 22/6, 2023 at 12:41 Comment(0)

Recommended topics

Hot tags