I have an AWS REST API that is configured to delete an object in S3 bucket by HTTP DELETE request. It is working fine, as long as the object is not inside a folder.
For example, a request 'https://a723csc6g8.execute-api.eu-central-1.amazonaws.com/v1/my-bucket/photo' works, while 'https://a723csc6g8.execute-api.eu-central-1.amazonaws.com/v1/my-bucket/folder/photo' does not. I get 403 error - missing autentication token.
My IAM policy has the following permissions: ListBucket, DeleteObject and DeleteObjectVersion. Object access restriction: arn:aws:s3:::my-bucket*/*
The API json file:
{
"swagger" : "2.0",
"info" : {
"version" : "2016-10-21T17:26:28Z",
"title" : "ApiName"
},
"host" : "a723csc6g8.execute-api.eu-central-1.amazonaws.com",
"basePath" : "/v1",
"schemes" : [ "https" ],
"paths" : {
"/{bucket}/{key}" : {
"delete" : {
"produces" : [ "application/json" ],
"parameters" : [ {
"name" : "key",
"in" : "path",
"required" : true,
"type" : "string"
}, {
"name" : "bucket",
"in" : "path",
"required" : true,
"type" : "string"
} ],
"responses" : {
"200" : {
"description" : "200 response",
"schema" : {
"$ref" : "#/definitions/Empty"
}
}
}
}
}
},
"definitions" : {
"Empty" : {
"type" : "object",
"title" : "Empty Schema"
}
}
}
Has anybody encountered a similar problem? Is there anything I am missing?
There are multiple issues why you are "still" not allowed to delete the file, a few from the top of my head (all of these would prevent you from deleting even when IAM "allows" it):
My suggestion would be to inspect the response in detail and maybe decrypt the response if it does contain an encrypted error message. You can also check CloudTrail for authentication issues.