s3api getobject permission denied

Question

I am trying to fetch a file from s3 using aws-cli

aws s3api get-object --bucket <bucket_name> --key /foo.com/bar/summary-report-yyyymmdd.csv.gz temp_file.csv.gz --profile <profile_name>

but I am getting the following error -

An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

I've rechecked my configuration using

aws configure --profile <profile_name>

and everything seems to be correct there. I am using the same credentials to browse and fetch the file on S3 browser without any issue.

Documentation is of minimal use as I have very limited access to this bucket. I cannot verify the permissions or use

aws s3 --profile <profile_name> ls

Answer 1

AccessDenied can mean you dont have permission but its the error returned if the object does not exist (you can read here for the reason why to use this error)

You can make sure you have access to the bucket using the aws s3api list-objects command like

aws s3api list-objects --bucket <bucket_name> --query 'Contents[].{Key: Key, Size: Size}' --profile <profile_name>

Most probably in your case the issue is with the user of / in front of the key

aws s3api get-object --bucket <bucket_name> --key foo.com/bar/summary-report-yyyymmdd.csv.gz temp_file.csv.gz --profile <profile_name>

Answer 2

For me the issue was kms access. I found this helpful: https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/