S3 AccessDenied与策略不匹配

Question

I have the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StmtXXX",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::MYBUCKET"
            ]
        }
    ]
}

(yes, I intend to scope back the s3:* when I get it working)

The following list bucket operation works OK:

$ aws s3 ls s3://MYBUCKET/test --profile MYPROFILE --region eu-west-1
2016-11-30 15:21:13   16712119 test

But a PUT won't work

$ aws s3 cp /tmp/test2 s3://MYBUCKET/test2 --profile MYPROFILE --region eu-west-1
upload failed: ../../../../tmp/test2 to s3://MYBUCKET/test2
A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied


Parameter validation failed:
Invalid type for parameter UploadId, value: None, type: <type 'NoneType'>, valid types: <type 'basestring'>

I've tried this in the IAM Policy Simulator and it seems like it should work. I've verified that the keys correspond to the correct user.

(I've also tried with my own credentials and the operations work fine, so I don't think it's a syntax error)

Should this work? Any ideas why it isn't?

Answer 1

The answer to this seems to be that the IAM policy can take some time to propagate. This went from not working, to being intermittent, to working.

So if you face an inexplicable situation, wait a few minutes.

Answer 2

You need to enter the bucket contents as a resource separately from the bucket itself if you are specifying the bucket and object actions in the same statement

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StmtXXX",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::MYBUCKET",
                "arn:aws:s3:::MYBUCKET/*"
            ]
        }
    ]
}