An error occurred (AccessDenied) when calling the PutObject operationYour AWS credentials donβt have permission for this action.
Why this happens
AWS uses an identity-based access model where every API call is evaluated against IAM policies. If no policy explicitly grants the required permission β or if any policy explicitly denies it β the request is rejected with AccessDenied. This can come from the IAM user/role policy, a resource-based policy (like an S3 bucket policy), or an organization-level Service Control Policy (SCP).
Fix 1: Check your credentials
aws sts get-caller-identityMake sure youβre using the right profile/account.
Fix 2: Check IAM policy
The user/role needs the right permissions. Example for S3:
{
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:GetObject"],
"Resource": "arn:aws:s3:::my-bucket/*"
}Fix 3: Check bucket policy
S3 buckets can have their own policies that deny access:
aws s3api get-bucket-policy --bucket my-bucketFix 4: Check for explicit denies
An explicit Deny always wins over Allow. Check all policies attached to the user/role.
Alternative solutions
Use the IAM Policy Simulator to test whether a specific action is allowed for your user/role without making the actual API call:
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:user/myuser \
--action-names s3:PutObject \
--resource-arns arn:aws:s3:::my-bucket/*You can also enable AWS CloudTrail to inspect the exact reason for the denial in the event logs.
Prevention
- Use the principle of least privilege β start with narrow permissions and expand as needed rather than starting wide.
- Test IAM policies with the AWS Policy Simulator before deploying them to production.
Related: AWS CLI: You Must Specify a Region β How to Fix It Β· AWS vs GCP vs Azure β Which Cloud Provider in 2026?