Boto3 S3 error - AccessDenied when calling the PutObjectAcl

Question

Trying to generate a publicly-accessible URL for a file that was uploaded into an S3 bucket using the following code:

client = boto3.client('s3', config=botocore.client.Config(signature_version=botocore.UNSIGNED))
client.put_object_acl(Bucket="my-bucket", Key=filename, ACL='public-read')

throws the exception:

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObjectAcl operation: Access Denied

My S3 bucket has the following policy:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {}
        }
    ]
}

Any tips would be most welcome! Thanks

Answer 1

Pay attention that you also need to adjust KMS key access:
https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/

Important: If your S3 bucket has default encryption with AWS Key Management Service (AWS KMS) enabled, then you must also modify the AWS KMS key permissions. For instructions, see My Amazon S3 bucket has default encryption using a custom AWS KMS key. How can I allow users to download from and upload to the bucket?