I'm trying to access an Amazon S3 bucket owned by a client in a separate AWS account. The client granted access at the bucket level, but we're having trouble accessing the files. We keep getting an error indicating that our IAM user doesn't have permission to perform 'kms:Decrypt'. I noticed that while our S3 client is set up in the US-EAST-1 region, the client's bucket is located in US-WEST-1. Could this region difference be causing the issue? Also, can we configure our AWS account to access S3 buckets across different regions?
2 Answers
The error message basically tells you what's wrong. You probably need to adjust the policy on the KMS key to grant you permission to decrypt the content. If it's using the default AWS-managed key (the alias `aws/s3`), you typically can’t modify those policies, and that can be a hurdle.
The IAM roles or users aren't tied to specific regions, so the region discrepancy shouldn't be causing the issue directly. The error indicates that you likely don't have the right permissions to decrypt the files in the bucket. You might want to check if the permissions set on the KMS key are adequate for your access needs.
That’s a bummer! The client's using the default AWS key, and we can't edit the policy. They’re hesitant to switch to a custom KMS key. Does that mean we're out of luck accessing their S3 bucket?