AWS S3: Able to list buckets and download items via GUI but not via AWS CIL-CodePudding

The title sums up the problem. When entering the gui I observe the following role at the upper right corner:

my_name @ 1234

When calling aws sts get-caller-identity --profile my_role in CIL i get:

"UserId": "my_user_id",
"Account": "1234",
"Arn": "arn:aws:iam::1234:user/my_name"

From that I conclude that I am logged in with the same role in the gui and the cli. When opening the s3 bucket "s3_bucket_signature-1" via the gui I can see all the files in the bucket and I am able to download them. However when calling
aws s3 cp --recursive s3://s3_bucket_signature-1/* my_dir --profile my_role
I get:

fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied?

My role is within a user group. Every role in this user group has the following permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3-object-lambda:Get*",
                "s3-object-lambda:List*"
            ],
            "Resource": [
                "arn:aws:s3:::s3_bucket_signature-*",
                "arn:aws:s3:::s3_bucket_signature-*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

Any Idea what is going on here?

CodePudding user response：

It was an Issue with MFA. When MFA enabled and you want to access resources via CLI perform the steps described in : How to use MFA with AWS CLI?

and if you want to use boto3 api see: https://charlesvictus.medium.com/using-mfa-with-aws-using-python-and-boto3-f4f3e532f177