{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 forever°为你锁心 的问题《s3 - An error occurred (403) when calling the Head》','https://www.manongdao.com/q-1033222.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Answer did not help
Resource policy for s3 bucket bucket1 is:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket1/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket1/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket1/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
IAM policy for bucket1 is:
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*"
],
"Effect": "Allow"
}
s3Upload() works fine
Error occurs after performing aws s3 cp s3://url . while copying file to local folder
This is conflict between IAM policy & resource policy for s3.
How to make resource policy allow to perform aws s3 cp?
There are few issues here. First, your bucket policy document is not a valid json but I guess that error happened during coping.
aws s3 cp s3://urldoesn't work simply because bucket policy blocks it which is intended behavior in this case. Note that explicit deny always wins. Your bucket policy denies any upload if server side encryption header is missing in HTTP request. No matter how you define your IAM policy attached to a user, that user will not be able use the mentioned command as is due to the explicit deny.If you want to make it work, you just need to specify server side encryption in your CLI command by using appropriate flag
--sse AES256(this is true when uploading objects to s3 bucket).aws s3 cp s3://url --sse AES256Other things that I have noticed:
In this part
you are denying all s3 actions if the request is not using HTTPS but you have specified only objects in that bucket -
"Resource": "arn:aws:s3:::bucket1/*”not the bucket itself -"Resource": "arn:aws:s3:::bucket1”, thus your statement applies only to object level operations. Is this intended behavior? If you want to deny all the actions for both object level operations and bucket level operations that are not using HTTPS then you need to change you currentResourcetoAnd in this section
this line in your
Resource-"arn:aws:s3:::bucket1"is completely redundant because"s3:GetObject"action is object level operation and your statement doesn't contain any bucket level operations. You can freely remove it. So it should look something like thisUPDATE
When getting object, be sure that you specify some object, not just url of the bucket.
This will work
This will fail with 403 error
If you want to download multiple files at the same time using the above command, you will need to do two things. First, you will need to update your IAM permissions to include
s3:ListBucketon the bucket.Second thing, you will need to specify
--recursiveflag incpcommand.