Intermittent Issue with uploading to S3

  • Goal: Upload images to S3 using Amazon S3 Resource

  • Details: We are seeing an intermittent issue with S3 but the S3 credentials used has the required permissions already.

We are getting this error from time to time:

error: true
isRetoolSystemError: false
message: "User: arn:aws:iam::<iam number>:user/<user2>is not authorized to perform: s3:GetBucketLocation on resource: \"arn:aws:s3:::cdn-<bucket_name>\" because no identity-based policy allows the s3:GetBucketLocation action"

But our policies are already setup like this:

{
    "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::cdn-<bucket_name>/*\"},{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::<iam number>:user/<user1>\",\"arn:aws:iam::<iam number>:user/<user2>\"]},\"Action\":[\"s3:DeleteObject\",\"s3:GetBucketAcl\",\"s3:GetBucketCORS\",\"s3:GetBucketLocation\",\"s3:GetBucketLogging\",\"s3:GetBucketNotification\",\"s3:GetBucketPolicy\",\"s3:GetBucketWebsite\",\"s3:GetObject\",\"s3:GetObjectAcl\",\"s3:GetObjectVersion\",\"s3:GetObjectVersionAcl\",\"s3:ListBucket\",\"s3:PutObject\",\"s3:PutObjectAcl\",\"s3:PutObjectTagging\",\"s3:PutObjectVersionAcl\",\"s3:PutObjectVersionTagging\"],\"Resource\":[\"arn:aws:s3:::cdn-<bucket_name>\",\"arn:aws:s3:::cdn-<bucket_name>/*\"]}]}"
}

what would the cause of error be?

1 Like

Hello @john_xtian!

That is very odd that the issues isn't consistent and only gives you an error intermittently.

It looks like the policy is set up correctly, but there are some steps we can do to find out more about what could be causing this.

My guess is that the issue might stem from a policy attachment issue or inheritance.

Even though the policy looks correct, it might not be attached to the right entities or may be overridden by other policies.

The user <user2> may have other policies (e.g., Deny statements) restricting access.

Can you confirm whether the policy you shared is a bucket policy or an IAM policy?

If it’s a bucket policy, make sure an IAM policy (attached to <user2>) also allows the necessary actions (including s3:GetBucketLocation).

Check whether the user has inline or managed policies that conflict with the permissions you're trying to grant.

The other step would be to ensure that the policy is properly attached to the <user2> IAM user.

  • Check if there are any "Deny" statements in other policies attached to <user2> that might override this policy.
1 Like

This works thank you!.. Policy should be in IAM and not in bucket.

1 Like