Unable to access files from public s3 bucket with boto


I recently created a new AWS account (let’s call it “Account A”) and created an S3 bucket in this account (let’s call it “bucketa”), uploading a file foo.txt. Following advice from the internet, I set up what I believe to be the most permissive bucket policy possible (it should allow any type of access by any user):

After creating an IAM user for Account A (“Identity & Access Management -> Users -> Create New Users” and creating a user with “Generate an access key for each user” checked) and storing that user’s credentials in ~/.boto, a simple script using the boto S3 interface can access the uploaded file foo.txt:

I then created a new AWS account (let’s call it “Account B”), and followed the same steps, storing IAM credentials in the .boto file and running the same python script. However in this case I get a 403 error when executing the line print len(k.get_contents_as_string()):

Why is Account B not able to access bucketa despite its very permissive bucket policy? Are there additional permissions I need to set to enable public access by other AWS accounts?

Note: I have already ruled out invalid credentials in Account B’s .boto file as the culprit by creating an S3 bucket bucketb from Account B with the same bucket policy (“bucketa” replaced with “bucketb” in two lines); in this case I can access bucketb with Account B’s credentials but get the same 403 error when using Bucket A’s credentials.


The policy you have allows anonymous users access to the bucket. However, in your case Account B is not an anonymous user, it is an authenticated AWS user and if you want that user to have access you would need to grant it explicitly in the policy. Or, you can just access it anonymously in boto:

That should do the trick. It probably goes without saying but I wouldn’t leave that policy, as is. It would allow anyone to dump anything they want into the bucket.

Leave a Reply