AWS SDK throws 403 when checking for non-existing S3 key, but returns true for existing key

Question

I use the AmazonS3Client from the AWS SDK for Java in version 1.11.66 to check for the existence of a key in S3:

s3client.doesObjectExist(bucketName, key);

If I give it an existing key name, it properly returns true. For non-existing keys I always get an AmazonS3Exception informing me about a 403 coming back from the API.

What do I have to change to make it return false?

The IAM policy for the service looks like this:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Action": [

        "s3:*"

      ],

      "Effect": "Allow",

      "Resource": "arn:aws:s3:::MY_BUCKET/*"

    }

  ]

}

Answer 1

Seems like you've granted permissions to objects, not the bucket. Your policy should allow listing the bucket. Try specifying the bucket name in policy:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Action": [

        "s3:*"

      ],

      "Effect": "Allow",

      "Resource": "arn:aws:s3:::MY_BUCKET"

    }

  ]

}

Note MY_BUCKET instead of MY_BUCKET/*.