S3 get object signed URL permission denied but download file works

  • Goal:
    I am trying to use the S3 generate signed url get object function but I'm getting permission denied.

Here is my query:

It seems like this is an issue with the get object retool function or with my "Operation options" parameter body because when I use Action type = "Download a file from S3", that actually works with the same s3 object ID with no issue.
So it's not a permissions issue fundamentally.

Is there something wrong with my Operation options field or is it some retool issue?

Hi @htf15

Welcome to the forum!
I think the Access Denied error is going to be related to your AWS permissions. Can you verify that your IAM settings allow "s3:GetObject" in Action, and that your Resource includes the proper bucket AND subfolders in the bucket (if they exist)? Depending on your deployment your Action and Resource policy lists may be much longer, but verify these items are in your IAM policy:

  "Version": "2012-10-17",
    "Statement": [
	  "Sid": "VisualEditor0",
	  "Effect": "Allow",
	  "Action": [
	  "Resource": [
	    "arn:aws:s3:::cb-forge-artifacts-dev/*" <--- Required if you have subfolders

NOTE - if your files are nested in folders within your S3 bucket, the Key: value needs to contain the full path to the file.
(Ex: Key: myfolder/nextfolder/documentkey.ext).

Hi! @Matt_N - thank you

I do have GetObject permissions. I must have s3:GetObject permissions since I am able to directly Get the file.
But the problem is only for getting the presigned URL that is not working which is why I'm confused, since the GetObject permissions should work for presigned URLs as well, which makes me think it's an issue on the retool side or in my configuration options I'm passing in.

Good point - GetObject should control both, I was thinking download had a separate permission.
Can you verify you have both these lines in your IAM policy?

It appears that the generate signed url needs both.

I'm able to replicate your results in the following fashion:

  • If I only have the bucket/* policy (this seems like what you're seeing):
    • Download is successful
    • SignedUrl returns Access Denied
  • If I only have the bucket policy (no bucket/*):
    • Download returns Access Denied
    • SignedUrl is successful. (accessing the returned URL gives access denied, but the Retool process is successful)
  • If I have both policies, bucket and bucket/*:
    *Download is successful
    *SignedUrl is successful, and the returned URL works.

Obviously our AWS setups will be different, but ultimately I believe the Access Denied is coming from AWS in some fashion. Hope this helps!

1 Like