AWS S3 Object ACL and 403 Error

Recently I fell into the trap of S3 object ACL’s and the issue of an object having a different owner to the bucket. So when I tried to do something simple like the following I got a forbidden error.

This stumped me for a while as I couldn’t understand why an admin user connecting to an account where the bucket was created could not access the file that was in there. The bucket policy allowed read and write access across multiple AWS accounts. The mistake that I made was in one terminal session I had my cli profile accidentally set to another account so the owner of the object was set to that account when uploaded. Basically account-a uploaded a file into a bucket in account-b.

Lets go through an example of how this can happen. First we need a bucket with a policy that allows cross account read/write access.

Upload file with Account A.

Set profile to Account B and and try to copy the file.

Lets take a look at the owner of that file and see why this is happening.

We can see the DisplayName key as having the value account-a. When uploading a object – S3 creates a default ACL that grants the resource owner full control. In this case account-a had full control over a an object which lives in a bucket in account-b. account-b had no permissions on the object even though it owns the bucket. To solve my issue I could have deleted then re-added it correctly but I decided to modify the object acl so that I can read it via the accounts I need. This can be done via the put-object-acl api call. Here’s what I did to fix my issue.

The object now had read permission from account-b and I could successfully read and copy the file. If you need this cross account permissions for a bucket and its objects then it may be advisable to set the object acl so that the relevant accounts have read access like:

You can read more about S3 Object ACL’s here.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA * Time limit is exhausted. Please reload CAPTCHA.