Skip to Content
🚀 SpaceDF v2025.12.19 is now live! Read the release notes
TroubleshootingIssuesAWS S3/SES: Access Denied & Permission Errors

AWS S3/SES: Access Denied

The Problem: Your SpaceDF instance connects to AWS successfully (keys are correct), but actions like Uploading Files or Sending Emails fail because the IAM User lacks the necessary permission policies.

1. Symptoms & Diagnosis

You will see specific error messages in your backend logs depending on which service is blocked.

Run docker compose logs -f backend to check:

ServiceFeature ImpactLog Error Message Example
S3 StorageCannot upload avatars, device images.Access Denied, Status Code: 403
User is not authorized to perform: s3:PutObject
SES EmailRegistration emails or alerts are not sent.MessageRejected
User ... is not authorized to perform: ses:SendEmail

2. The Fix: Add Missing Policies

You do not need to create a new user or generate new keys. You simply need to attach the missing policies to your existing IAM User.

Open AWS IAM Console

1

Log in to your AWS Console.

2

Navigate to IAM > Users .

3

Click on the user name you created for SpaceDF (e.g., spacedf-user).

Attach Permissions

1

Go to the Permissions tab.

2

Click the Add permissions button (Dropdown) > Select Add permissions.

3

Select the box: Attach policies directly.

Select & Save

Search for and check the specific policy matching your error:

  • For S3 Errors: Search S3 > Check AmazonS3FullAccess.
  • For SES Errors: Search SES > Check AmazonSESFullAccess.

Click Next and then Add permissions to confirm.

3. Verification

Once the policies are attached, the effect is immediate (mostly). You can try the action again without restarting SpaceDF.

Still having issues?

    If you added the permissions but still get errors, check:

    • Wrong Keys: Did you accidentally use the keys of a different IAM user in your .env?
    • Bucket Name: For S3, ensure AWS_S3_BUCKET in .env matches your actual bucket name exactly.
    • Sandox Mode: For SES, if you get Email address is not verified, your AWS account might still be in SES Sandbox mode. You must verify the “From” address or request a production limit increase.

Original Setup Guide For the complete setup instructions including screenshots, refer back to the AWS Configuration Section.

Last updated on
Google OAuth: redirect_uri_mismatch