I have a private S3 bucket (let's call it test-bucket
) with all public accesses blocked, and a CloudFront distribution that serves it.
My web application has an IAM user to programmatically access AWS resources, to which I attached the managed authorisation policy AmazonS3FullAccess
.
I have also set up the following bucket policy:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ••••••••••••••"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::test-bucket/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::••••••••••••:user/••••••••••••"
},
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::test-bucket/*"
}
]
}
Still, when trying to delete an object in the bucket, I get
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
I've been reading other answers (like this one) related to the subject, but none seems to help, as my DeleteObject
policy is set on both the IAM user and the bucket.
DeleteObject permission is granted to an IAM user, but the delete error is experienced by a program using boto3 client?
It seems that the principal is some program calling the delete api using boto3 and the above policy does not grant it the DeleteObject permission. Suggestion: Grant the DeleteObject permission to a role and let the program calling in from boto3 assume that role.