AWS.Tools.S3 Get-S3Bucket Access Denied

[dburtsev]

Describe the bug

Hello I don't have permission to call the ListBuckets operation. I know my bucket name. I am using the access key and secret key. From the same script, aws s3 ls 'bucket_name' works but[Amazon.S3.Model.S3Bucket]$ResponseS3 = Get-S3Bucket -BucketName 'bucket_name' does not. Error: Access Denied Thanks, Dmitriy

Expected Behavior

Get Amazon.S3.Model.S3Bucket object from Get-S3Bucket

Current Behavior

Access Denied

Reproduction Steps

$Env:AWS_ACCESS_KEY_ID='qwe' $Env:AWS_SECRET_ACCESS_KEY='xyz' aws s3 ls 'bucket_name' Amazon.S3.Model.S3Bucket]$ResponseS3 = Get-S3Bucket -BucketName 'bucket_name'

Possible Solution

No response

Additional Information/Context

No response

AWS Tools for PowerShell version used

Version 4.1.128

PowerShell version used

Name Value

---

PSVersion 7.2.5 PSEdition Core GitCommitId 7.2.5 OS Microsoft Windows 10.0.19042 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

Operating System and version

Windows 10

[dburtsev]

Note: I have "Access Denied" only when I run this script from my PC using keys. When I run this script without keys on EC2 instance with the attached role, I don't have any problems. Thanks, Dmitriy

[ashishdhingra]

@dburtsev You need to have the ListBuckets policy attached to your IAM user (having access keys and secret keys in above PowerShell snippet) in order to execute Get-S3Bucket CmdLet. On the EC2 instance it might have worked because the IAM role has this policy attached to it.

I'm unsure how aws s3 ls 'bucket_name' is working for you.

• Are you executing AWS CLI command from within PowerShell terminal?
• Do you have credentials configured in your default profile on your machine which has permissions to execute ListBuckets operation? May be AWS CLI is using the credentials from the default profile.

You may try using the Get-STSCallerIdentity CmdLet and AWS CLI aws sts get-caller-identity to see if there is any difference.

Thanks, Ashish

[dburtsev]

Hello Ashish I don't have the ListBuckets policy for this particular account.

Are you executing AWS CLI command from within PowerShell terminal? I am executing AWS CLI command from PowerShell script

Do you have credentials configured in your default profile No. In EC2 we use attached role and in my PC keys are hardcoded in the script.

[aws sts get-caller-identity] { "UserId": "AIDAZ7DNFLRF5WRSTAXOC", "Account": "685276224587", "Arn": "arn:aws:iam::685276224587:user/svc_mocsdw01AccessPA" } [Get-STSCallerIdentity] Account Arn UserId

---

685276224587 arn:aws:iam::685276224587:user/svc_mocsdw01AccessPA AIDAZ7DNFLRF5WRSTAXOC

[ashishdhingra]

@dburtsev Unfortunately I'm unable to reproduce the issue. I get Access Denied error while using both AWS CLI aws s3 ls <<bucketname>> and PowerShell CmdLet Get-S3Bucket <<bucketname>>. Used the below 2 scenarios (after creating IAM user with programmatic access not having any permissions):

1. Configured the credentials in default profile at %USERPROFILE%\.aws\credentials.
2. Used the environment variable approach (as in your case) setting $Env:AWS_ACCESS_KEY_ID and $Env:AWS_SECRET_ACCESS_KEY.

In both the cases:

• AWS CLI returns error An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
• Get-S3Object CmdLet returns error Get-S3Bucket: Access Denied.

[dburtsev]

Configured the credentials in default profile at %USERPROFILE%.aws\credentials.

We don't have any credentials in %USERPROFILE%.aws dir Directory of %USERPROFILE%.aws

08/02/2022 03:28 PM

. 08/02/2022 03:28 PM .. 08/02/2022 03:28 PM 31 config 1 File(s) 31 bytes 2 Dir(s) 25,655,758,848 bytes free

%USERPROFILE%.aws>type config [default] region = us-east-1

[ashishdhingra]

Configured the credentials in default profile at %USERPROFILE%.aws\credentials.

We don't have any credentials in %USERPROFILE%.aws dir Directory of %USERPROFILE%.aws

08/02/2022 03:28 PM

. 08/02/2022 03:28 PM .. 08/02/2022 03:28 PM 31 config 1 File(s) 31 bytes 2 Dir(s) 25,655,758,848 bytes free %USERPROFILE%.aws>type config [default] region = us-east-1

@dburtsev I tested using both scenarios, including environment variable approach (as in your case) setting $Env:AWS_ACCESS_KEY_ID and $Env:AWS_SECRET_ACCESS_KEY. Anyway, your account needs to have ListBuckets permission. I'm unsure on how your AWS CLI command works (you may try spinning up new EC2 without IAM role attached, installing PowerShell and AWS CLI, and try executing your scenario). Unfortunately, we are unable to troubleshoot environment specific issues.

Thanks, Ashish