How to resolve the AWS CLI S3 a Client Error (403)?

250    Asked by ChristianParsons in AWS , Asked on Aug 2, 2023

I want to set up the Amazon Linux AMI (ami-f0091d91). There is a script that runs a copy command to copy from S3 bucket.

Aws – – debug s3 cp s3://aws-codedeploy-us-west-2/latest/codedeploy-agent.noarch.

The script goes well on the local desktop but fails displaying the error code on the Amazon image:

2016-03-22 01:07:47,110 - MainThread - botocore.auth - DEBUG - StringToSign:


Tue, 22 Mar 2016 01:07:47 GMT

2016-03-22 01:07:47,111 - MainThread - botocore.endpoint - DEBUG - Sending http request:
2016-03-22 01:07:47,111 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTPS connection (1):
2016-03-22 01:07:47,151 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - "HEAD /latest/codedeploy-agent.noarch.rpm HTTP/1.1" 403 0
2016-03-22 01:07:47,151 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amz-id-2': '0mRvGge9ugu+KKyDmROm4jcTa1hAnA5Ax8vUlkKZXoJ//HVJAKxbpFHvOGaqiECa4sgon2F1kXw=', 'server': 'AmazonS3', 'transfer-encoding': 'chunked', 'x-amz-request-id': '6204CD88E880E5DD', 'date': 'Tue, 22 Mar 2016 01:07:46 GMT', 'content-type': 'application/xml'}
2016-03-22 01:07:47,152 - MainThread - botocore.parsers - DEBUG - Response body:
2016-03-22 01:07:47,152 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.HeadObject: calling handler
2016-03-22 01:07:47,152 - MainThread - botocore.retryhandler - DEBUG - No retry needed.
2016-03-22 01:07:47,152 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.HeadObject: calling handler
2016-03-22 01:07:47,152 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.HeadObject: calling handler
2016-03-22 01:07:47,152 - MainThread - awscli.errorhandler - DEBUG - HTTP Response Code: 403
2016-03-22 01:07:47,152 - MainThread - awscli.customizations.s3.s3handler - DEBUG - Exception caught during task execution: A client error (403) occurred when calling the HeadObject operation: Forbidden
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/", line 100, in call
    total_files, total_parts = self._enqueue_tasks(files)
  File "/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/", line 178, in _enqueue_tasks
    for filename in files:
  File "/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/", line 31, in call
    for file_base in files:
  File "/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/", line 142, in call
    for src_path, extra_information in file_iterator:
  File "/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/", line 314, in list_objects
    yield self._list_single_object(s3_path)
  File "/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/", line 343, in _list_single_object
    response = self._client.head_object(**params)
  File "/usr/local/lib/python2.7/site-packages/botocore/", line 228, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python2.7/site-packages/botocore/", line 488, in _make_api_call
    model=operation_model, context=request_context
  File "/usr/local/lib/python2.7/site-packages/botocore/", line 226, in emit
    return self._emit(event_name, kwargs)
  File "/usr/local/lib/python2.7/site-packages/botocore/", line 209, in _emit
    response = handler(**kwargs)
  File "/usr/local/lib/python2.7/site-packages/awscli/", line 70, in __call__
ClientError: A client error (403) occurred when calling the HeadObject operation: Forbidden
2016-03-22 01:07:47,153 - Thread-1 - awscli.customizations.s3.executor - DEBUG - Received print task: PrintTask(message='A client error (403) occurred when calling the HeadObject operation: Forbidden', error=True, total_parts=None, warning=None)
A client error (403) occurred when calling the HeadObject operation: Forbidden
On running it along the - - no sign request option, it works well.
Aws - - debug - - no-sign-request s3 cp s3:// aws- codedeploy-us-west-2/latest/codedeploy

Why is the error message being shown while calling the headobject operation?

Answered by Diane Carr

You must verify if the given policy offers total access to S3, Also, if you wish to access objects in the s3 bucket, then the following code must be used:

“Resource”: “arn:aws:s3::::BUCKET_NAME/*”
Instead of this,

The initial statement offers total access to the objects present in the s3 bucket. If this is not the issue, see if the EC@ instances and buckets are in the same areas. If not, then the error message will be seen. Ensure that EC@ instances and buckets are in the identical reas. This will erase the error 403 while calling the headobject  operation:forbidden.

Also, maybe you are deploying the instance’s IAM role to create the request explaining x-amz-security-token– temporary details from the role. The role forbids access to S# and the bucket does not give access with the details although it's public. Ensure that the system clock is updated because the HEAD allows the error body to be suppressed.

The AWS Solution Architect Online Training provided at JanBask Training comprises skilled instructors with unique learning delivery techniques that guarantee that the candidates learn and grasp the concepts well. The instructors also motivate the practical utilization of the course to make the concepts more apparent and clear. They teach you the basic to advanced concepts elaborately to help you develop potent strategies so that businesses can shift the information on cloud storage with proper security. They make you job-ready to face the challenging job market scenario.

Your Answer


Parent Categories