pythonamazon-web-servicesamazon-s3miniominio-client

minio.error.S3Error: S3 operation failed; code: AccessDenied, message: Access Denied., resource: /musor-bucket

Create the bucket

mc mb local/musor-bucket --debug

Create the credentials pair

mc admin user add local musor-user musor-top-secret-key --debug

Create the policy to grant access to the bucket

# cat musor-bucket-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
   {
    "Sid": "AllowBucketSync",
    "Effect": "Allow",
    "Action": [
     "s3:GetObject",
     "s3:ListBucket",
     "s3:PutObject"
    ],
    "Resource": [
     "arn:aws:s3:::musor-bucket",
     "arn:aws:s3:::musor-bucket/*"
    ]
   }
  ]
 }

Add policy to your minio instance

mc admin policy create local musor-bucket-policy ./data/musor-bucket-policy.json --debug

Associate policy with your user

mc admin policy attach local musor-bucket-policy --user=musor-user --debug

You can verify that everything is setup as you’d expect by running this

# mc admin user info local musor-user
AccessKey: musor-user
Status: enabled
PolicyName: musor-bucket-policy
MemberOf: []

Try to connect by python

from minio import Minio
from minio.commonconfig import SnowballObject
from urllib3 import PoolManager


access_key="musor-user"
secret_key="musor-top-secret-key"


pool_manager = PoolManager(
    ca_certs="minio/tls-ca-bundle.pem",
    cert_reqs="CERT_REQUIRED",
)

client = Minio(
    "minio.local:443",
    access_key=access_key,
    secret_key=secret_key,
    secure=True,
    http_client=pool_manager
)

print(client.bucket_exists("musor-bucket"));

return error

minio.error.S3Error: S3 operation failed; code: AccessDenied, message: Access Denied., resource: /musor-bucket, request_id: 180F0EC003737710, host_id: 03f6d7ba09b0531a178059659f12e65ab6a75adddf2f548b1f37624d55d95fba, bucket_name: musor-bucket

How solve this problem?

Solution

  • The error Access Denied usually means that the MinIO policy is not properly attached, or the user does not have the necessary permissions for the bucket. Let’s troubleshoot and solve the issue step-by-step.

    You need to update the bucket policy to include the s3:HeadBucket action. Update your musor-bucket-policy.json as follows:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowBucketSync",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject",
        "s3:HeadBucket",
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": [
        "arn:aws:s3:::musor-bucket",
        "arn:aws:s3:::musor-bucket/*"
      ]
    }
  ]
}

    check : https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html