Unable to access the S3 bucket after the IAM user was recreated
If you delete and recreate the user, please update the S3 bucket policy with the user ARN to grant user permission on the bucket.
Customer complained that an IAM user was unable to access an S3 bucket after the user was recreated in the IAM console. The customer thought that the new user had been granted permission using its ARN in the S3 bucket policy because the old user and new user had the same username. However, once the old user was deleted, the user ARN in the S3 bucket policy was changed to the unique ID of the old user. The S3 bucket policy did not grant the new user any permission, and the new user got an access denied error when accessing the S3 bucket. To resolve the issue, the customer should update the S3 bucket policy with the ARN of the user.
Please see the steps to reproduce the issue below:
- AWS CLI user configuration:
$ aws configure --profile s3testuser AWS Access Key ID [None]: OldAccessKeyID AWS Secret Access Key [None]: OldSecretAccessKey Default region name [None]: us-east-1 Default output format [None]: json $ export AWS_PROFILE=s3testuser $ aws sts get-caller-identity { "UserId": "AIDACKCEVSQ6C2EXAMPLE", <========== Old user ID. "Account": "111122223333", "Arn": "arn:aws:iam::111122223333:user/s3testuser" }
- S3 Bucket Policy grants user permission on bucket:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/s3testuser" <========== User ARN. }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::mybucketnamehere", "arn:aws:s3:::mybucketnamehere/*" ] } ] }
- User can access the bucket:
$ aws s3 ls s3://mybucketnamehere 2024-06-21 02:27:27 80755 1.JPG $ aws s3 cp s3://mybucketnamehere/1.JPG . download: s3://mybucketnamehere/1.JPG to ./1.JPG
-
Delete the user from the IAM console.
-
S3 Bucket Policy is changed:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "AIDACKCEVSQ6C2EXAMPLE" <========== Changed from user ARN to user ID. }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::mybucketnamehere", "arn:aws:s3:::mybucketnamehere/*" ] } ] }
- Recreate the user with the same username and configure user profile:
$ aws configure --profile s3testuser AWS Access Key ID [****************]: NewAccessKeyID AWS Secret Access Key [****************]: NewSecretAccessKey Default region name [us-east-1]: Default output format [json]: $ export AWS_PROFILE=s3testuser $ aws sts get-caller-identity { "UserId": "AIDAT2GQOK7BGGEXAMPLE", <========== New user ID. "Account": "111122223333", "Arn": "arn:aws:iam::111122223333:user/s3testuser" }
- New user gets Access Denied:
$ aws s3 ls s3://mybucketnamehere An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied $ aws s3 cp s3://mybucketnamehere/1.JPG . fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
- Update the S3 bucket policy with user ARN:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/s3testuser" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::mybucketnamehere", "arn:aws:s3:::mybucketnamehere/*" ] } ] }
- New user accesses the S3 bucket successfully:
$ aws s3 ls s3://mybucketnamehere 2024-06-21 02:27:27 80755 1.JPG $ aws s3 cp s3://mybucketnamehere/1.JPG . download: s3://mybucketnamehere/1.JPG to ./1.JPG
Summary: If you delete and recreate the user, please update the S3 bucket policy with the user ARN to grant user permission on the bucket.
References: [1] AWS IAM User Guide - Policies and Permissions
Thanks for Sharing this Great Info
Juicy ones!
Great job!
Relevant content
- asked 5 years ago
- Accepted Answerasked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
