Home/ Questions/Q 9227195
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T05:00:43+00:00

I recently setup an IAM role for accessing a bucket with the following policy:

  • 0

I recently setup an IAM role for accessing a bucket with the following policy:

{
  "Statement": [
    {
      "Sid": "Stmt1359923112752",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::<BUCKET_NAME>"
      ]
    }
  ]
}

While I can list the contents of the bucket fine, when I call get_contents_to_filename on a particular key, I receive a boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden exception.

Is there a role permission that I need to add to fetch keys from S3? I have checked the permissions on the individual key, and there appears to be nothing that explicitly forbids access to other users; there is only a single permission that grants the owner full permissions.

For completeness, I verified that removing the role policy above prevents access to the bucket completely thus it’s not an issue with the policy being applied.

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You have to give permission to the objects in the bucket, not just to the bucket. So your resource would have to be arn:aws:s3:::<bucketname>/*. That matches every object.

    Unfortunately, that doesn’t match the bucket itself. So you either need to give bucket related permissions to arn:aws:s3:::<bucketname> and object permissions to arn:aws:s3:::<bucketname>/*, or just give permissions to arn:aws:s3:::<bucketname>*. Though in that latter case, giving permissions to a bucket named fred would also give the same permissions to one named freddy.

    • 0