eric eric - 5 months ago 8x
Java Question

S3: User cannot access object in his own s3 bucket if created by another user

An external user has access to our s3 bucket, using these actions in our bucket policy:

"Action": [

That user generated temporary credentials, which were then used to upload a file into our bucket.

Now, I cannot access the file. In the s3 UI, if I attempt to download the file, I get a 403. If I attempt to change the permissions on that object, I see the message : "Sorry! You do not have permissions to view this bucket." If the external user sets the appropriate header (x-amz-acl bucket-owner-full-control) when uploading the file with the temporary credentials, I can access the file normally. It seems strange to me that even though I own the bucket, it is possible for the external user to put files into it that I am unable to access.

Is it possible that there is some policy I can set so I can access the file, or so that I am able to access any file that is added to my bucket, regardless of how it is added? Thanks!


I believe you have to get the object owner to update the ACL or re-write the object specifying bucket owner full control. The simplest way to experiment with this is using the CLI:

aws s3api put-object-acl --acl bucket-owner-full-control --bucket some-bucket --key path/to/unreadable.txt

Yeah, I think you have to do that once for each object, I don't think there is a recursive option.

AWS publishes an example bucket policy to prevent adding objects to the bucket without giving the bucket owner full control. But that will not address ownership of the objects already in your bucket.

I don't know of any policy that will automagically transfer ownership to the bucket owner.