Are you getting an unexplained An error occurred (AccessDenied) when calling the GetObject operation: Access Denied error when trying to copy a file from an S3 bucket on an EC2 instance even though the assigned role has the s3:GetObject permission? It could be that your bucket/file is encrypted with AWS-KMS.

I recently faced this issue where I was getting an access denied error message when attempting to copy a file to the local EC2 instance from an S3 bucket.

[ec2-user@ip-xxx-xxx-xxx-xxx ~]$ aws s3 cp s3://my-bucket/my-file.zip my-file.zip
download failed: s3://my-bucket/my-file.zip to ./my-file.zip An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

I checked and checked again the role assigned to the EC2 instance and sure enough it had the s3:GetObject permission which left me confused. I checked the permissions on the S3 bucket and the individual file and confirmed that I should have read only access to the file.

S3 file permissions

I was able to download the file locally on my MacBook Pro using my admin user successfully which left me futher confused.

However, whilst inspecting the settings, I noticed that the file was encrypted with AWS-KMS encryption. KMS is the Key Management Service which allows easy creation and management of encryption keys across many of the AWS services. At this point it occurred to me that the EC2 role would require some sort of permission to access the KMS service to decrypt the file in S3 storage.

After some Googling, I discovered that the only permission that was required was kms:Decrypt. This left the IAC role as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
    ]
}