Our ERP document management system integrates with IBM Cloud Object Storage using the S3 API, but users are suddenly getting ‘AccessDenied’ errors when uploading purchase order attachments. This started happening after we rotated our service credentials last week.
The error occurs specifically when uploading to the ‘erp-documents’ bucket:
HTTP 403 Forbidden
AccessDenied: Access Denied
Bucket: erp-documents
RequestId: 4a2f8c3e-1234-5678
I’ve verified the IAM policy grants ‘Writer’ role to our service ID for Object Storage, and the S3 credentials were regenerated correctly. The bucket exists and our application can list objects, but PUT operations fail. I’m not sure if this is an IAM policy configuration issue, an S3 API integration problem, or something with how the service ID is mapped to bucket permissions. Has anyone encountered similar access issues after credential rotation?
The fact that you can list objects but not upload suggests your IAM policy might have the ‘Reader’ role instead of ‘Writer’, or there’s a resource-specific policy blocking writes. Can you share your IAM policy configuration? Also, when you say you rotated credentials, did you regenerate the HMAC credentials for the service ID, or did you create a new service ID entirely? If you created a new service ID, you need to update the IAM policies to grant that new ID access to the bucket.
That’s likely your issue. When you assign IAM roles at the service instance level, it should grant access to all buckets within that instance, but there are cases where bucket-specific policies or bucket access controls override the service-level policy. Check if your ‘erp-documents’ bucket has any bucket-level IAM policies or access control lists (ACLs) that might be restricting write access. You can view these in the Object Storage console under the bucket’s configuration. Also, verify that the HMAC credentials you regenerated are actually being used by your ERP application - sometimes old credentials get cached in application configs or environment variables.
Just to add some troubleshooting tips for future reference: you can use the Activity Tracker to see the exact IAM policy evaluation that’s causing the AccessDenied error. Look for events with action ‘cloud-object-storage.object.put’ and outcome ‘failure’. The event details will show which policy was evaluated and why it denied access. This is much faster than guessing whether it’s a service-level or bucket-level policy issue.
Here’s the complete solution to resolve your Object Storage access denied issue:
Root Cause:
Your ‘erp-documents’ bucket has a bucket-level IAM policy that restricts access to a specific list of service IDs. After rotating HMAC credentials, the service-instance-level ‘Writer’ role wasn’t sufficient because the bucket policy acts as an additional authorization layer that takes precedence.
Solution - IAM Policy Configuration:
- Add Service ID to Bucket Policy:
Navigate to Object Storage console → ‘erp-documents’ bucket → Configuration → IAM Policies. Add your service ID with appropriate role:
ibmcloud iam service-policy-create erp-storage-service \
--roles Writer \
--service-name cloud-object-storage \
--service-instance INSTANCE_ID \
--resource-type bucket \
--resource erp-documents
Alternatively, if using the console, add the service ID ‘erp-storage-service’ with ‘Object Writer’ role specifically for the ‘erp-documents’ bucket resource.
- Verify S3 API Integration:
Confirm your ERP application is using the newly regenerated HMAC credentials:
- Access Key ID and Secret Access Key should match the latest HMAC credentials from the service ID
- Update application configuration or environment variables if credentials are cached
- Test with a simple S3 PUT operation:
aws s3 cp test.pdf s3://erp-documents/ \
--endpoint-url=https://s3.us-south.cloud-object-storage.appdomain.cloud
- Service ID Mapping Validation:
Verify the complete authorization chain:
- Service ID ‘erp-storage-service’ exists and is active
- HMAC credentials are bound to this service ID (check in IAM → Service IDs → API Keys)
- Service-level policy: ‘Writer’ role on Object Storage instance (baseline access)
- Bucket-level policy: ‘Object Writer’ role on ‘erp-documents’ bucket (specific resource access)
Both policies must be present when bucket-level restrictions exist.
Troubleshooting Commands:
List all policies for your service ID:
ibmcloud iam service-policies erp-storage-service
Check Activity Tracker for policy evaluation failures:
- Filter: action=‘cloud-object-storage.object.put’ AND outcome=‘failure’
- Review ‘reason’ field for specific policy denial details
- Look for ‘requestData.bucketName=erp-documents’ to confirm bucket-specific denials
Best Practices:
- Document all bucket-level IAM policies in your team’s runbook
- When rotating credentials, verify both service-level AND bucket-level policies
- Use Activity Tracker for real-time IAM policy evaluation debugging
- Consider using resource groups and access groups to simplify policy management across multiple buckets
- Test credential changes in a non-production bucket first
Validation:
After adding the service ID to the bucket policy:
- ERP users should successfully upload purchase order attachments
- No more HTTP 403 AccessDenied errors
- Activity Tracker should show ‘cloud-object-storage.object.put’ events with outcome=‘success’
This configuration ensures your service ID has explicit access at both the service instance and bucket resource levels, which is required when bucket-level policies are in place.