copyObject throws Access Denied if source key is not present

[marcindyelp]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

To perform copyObject according to aws docs, you need s3:GetObject and s3:PutObject permissions. That works fine with only those permissions.
Problem: If source key (file) does not exist in the bucket, API throws misleading error:
AccessDenied: User: arn:aws:sts:#########r is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::my_bucket because no identity-based policy allows the s3:ListBucket action
Obviously s3:ListBucket is not needed. Error thrown should be 'key not present, check source...' or anything like that.

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/client-s3@.3.658.1, CopyObjectCommand

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

node 18.19.0

Reproduction Steps

delete the source file

Observed Behavior

AccessDenied: User: arn:aws:sts:#########r is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::my_bucket because no identity-based policy allows the s3:ListBucket action

Expected Behavior

Obviously s3:ListBucket is not needed. Error thrown should be 'key not present, check source...' or anything like that.

Possible Solution

change the error/response from API to user

Additional Information/Context

No response

[aBurmeseDev]

Hi @marcindyelp - thanks for reaching out.

This is something I need to confirm with S3 team but in one S3 docs, it's mentioned that you need s3:ListAllMyBuckets permission to perform CopyObject operation. See here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/copy-object.html#CopyingObjectsExamples

When you initiate a CopyObject operation, S3 needs to verify the existence of the source object in the source bucket. To do this, it needs to list the contents of the source bucket, which requires the s3:ListBucket permission. If the source object doesn't exist, S3 still needs to perform this listing operation to determine that the object doesn't exist and it will return an error if the necessary permission (s3:ListBucket) is not granted.

Best,
John

[github-actions]

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

[marcindyelp]

so this is false statement: When you initiate a CopyObject operation, S3 needs to verify the existence of the source object in the source bucket. To do this, it needs to list the contents of the source bucket, which requires the s3:ListBucket permission.
and I can prove it. I don't have s3:ListBucket permission and CopyObject operation works fine.
IF file does not exist THEN s3:ListBucket permission is needed.

My point here is, so you:

• updated the docs or
• update misleading API response

[aBurmeseDev]

I appreciate your input and have shared it with the S3 team to enhance the documentation. As the SDK documentation is generated from the upstream service documentation, updates to the SDK docs will be made once the service team addresses the issue at their end.

Please feel free to reach out if you have any other inquiries or concerns.