amazon-s3encryptionamazon-kmsimagekit

Imagekit EACCES - Access denied by AWS S3. Check attached IAM policy on AWS


After I set up Imagekit connecting to S3 bucket correctly with IAM policy having the s3:GetObject to the bucket, I got an error accessing the image through Imagekit url.

The error message is EACCES - Access denied by AWS S3. Check attached IAM policy on AWS


Solution

  • Imagekit actually needs more than just action s3:GetObject in the policy if your objects in the S3 buckets are server-side encrypted. It will kms:Decrypt as well. This is not in their documentation as 2022/06/16.

    My IAM policy is like the following to make Imagekit access correctly.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "ImagekitObjectAccess",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::[imagekit-bucket-name]/*"
                ]
            },
            {
                "Sid": "ImagekitObjectEncryptingKeyAccess",
                "Effect": "Allow",
                "Action": [
                    "kms:Decrypt"
                ],
                "Resource": [
                    "arn:aws:kms:us-east-1:187681360541:key/[object-encrypting-key-id]"
                ]
            }
        ]
    }