Hi Larry,
Ok, you got me. I'll take another peak although I've not played around
much with Bucket Policies. Could be something extra Boto is doing
though.
Looking at the 403 again that you got with the previous policy...
> >> SSarchive-Traceback (most recent call last):
> >> File "SSarchive.py", line 1091, in <module>
> >> main()
> >> File "SSarchive.py", line 721, in main
> >> BUCKET = S3.get_bucket(_s3bucket)
> >> File "C:\Python27\lib\site-packages\boto\s3
\connection.py",
> >> line 502, in get_b
> >> ucket
> >> return self.head_bucket(bucket_name, headers=headers)
> >> File "C:\Python27\lib\site-packages\boto\s3
\connection.py",
> >> line 535, in head_
> >> bucket
> >> raise err
> >> S3ResponseError: S3ResponseError: 403 Forbidden
We can see from above that your SSarchive program is calling
get_bucket(). This in turn calls head_bucket().
head_bucket() does a HEAD request on the bucket name. A HEAD is like a
GET request but doesn't return any contents so is lightweight. It does
however require that the user have permissions to GET the bucket. A GET
on the bucket is a bucket listing so it requires s3:ListBucket.
When checking the source of connection.py, I noticed that if you are
sure the bucket exists, you can skip this HEAD request altogether by
using:
get_bucket(bucketname, validate=False)
Remove the GetObject rights for now and let's work through the
exceptions.
Tom.