I have an ECS Fargate task using a bucket in the same account. For test purposes (I'll tighten the permissions later), the task is using AmazonS3FullAccess policy.

From the Fargate task, I can list files in the bucket sucessfully using awscli but any PutObject attempts give access denied.

The bucket has private ACL, no other policies assigned.

I can upload to the same bucket via awscli from my own user (which has admin privs) in the same AWS account.

Does anyone know why a role cannot upload to a bucket when that role has AmazonS3FullAccess access policy applied?

FullAccess policy is

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        }
    ]
}

CodePudding user response：

S3 access can be a little messy you have 3 different ways to restrict access to a s3 bucket. These are IAM Policies and Bucket Policies and ACLs. So if it is as you say and the ACL is giving the green light and so also the IAM Policy used your access issues may be in the Bucket Policy. S3 is one of the services with Resource-based policies in AWS.

CodePudding user response：

OK, the permissions & roles are fine, we were using bucket encryption with a custom KMS key, rather than the default AWS one, so the encryption key ID needs to be specified on each upload.

We changed the bucket to use default AWS encryption (AES256).