Open marcindyelp opened 4 days ago
Hi @marcindyelp - thanks for reaching out.
This is something I need to confirm with S3 team but in one S3 docs, it's mentioned that you need s3:ListAllMyBuckets
permission to perform CopyObject operation. See here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/copy-object.html#CopyingObjectsExamples
When you initiate a CopyObject operation, S3 needs to verify the existence of the source object in the source bucket. To do this, it needs to list the contents of the source bucket, which requires the s3:ListBucket
permission. If the source object doesn't exist, S3 still needs to perform this listing operation to determine that the object doesn't exist and it will return an error if the necessary permission (s3:ListBucket) is not granted.
Best, John
Checkboxes for prior research
Describe the bug
To perform copyObject according to aws docs, you need s3:GetObject and s3:PutObject permissions. That works fine with only those permissions. Problem: If source key (file) does not exist in the bucket, API throws misleading error: AccessDenied: User: arn:aws:sts:#########r is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::my_bucket because no identity-based policy allows the s3:ListBucket action Obviously s3:ListBucket is not needed. Error thrown should be 'key not present, check source...' or anything like that.
Regression Issue
SDK version number
@aws-sdk/client-s3@.3.658.1, CopyObjectCommand
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
node 18.19.0
Reproduction Steps
delete the source file
Observed Behavior
AccessDenied: User: arn:aws:sts:#########r is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::my_bucket because no identity-based policy allows the s3:ListBucket action
Expected Behavior
Obviously s3:ListBucket is not needed. Error thrown should be 'key not present, check source...' or anything like that.
Possible Solution
change the error/response from API to user
Additional Information/Context
No response