s3 cp with dryrun flag does not properly check IAM permissions #9935
Description
Describe the bug
the s3 cp command with --dryrun doesn't properly fail when iam permissions don't allow the command. ie...
aws s3 cp {my-local-file} 's3://restricted-bucket/{remote-file}' --dryrun
will succeed (exit code 0), even if the same command without the dryrun flag fails with an unauthorized error. this is not true of the reverse (download vs upload) and sync dryrun works properly.
Regression Issue
- Select this option if this issue appears to be a regression.
Expected Behavior
The --dryrun flag should properly validate IAM permissions to upload an object and exit with the proper code
Current Behavior
Upload
$ aws s3 cp {my-local-file} 's3://restricted-bucket/{remote-file}' --dryrun
(dryrun) upload: ./{my-local-file} to s3://restricted-bucket/{remote-file}
$ echo $?
0
$ aws s3 cp {my-local-file} 's3://restricted-bucket/{remote-file}'
upload failed: ./{my-local-file} to s3://restricted-bucket/{remote-file} An error occurred (AccessDenied) when calling the PutObject operation: User: arn:aws:sts::{account}:assumed-role/{role-name}/{user-name} is not authorized to perform: s3:PutObject on resource: "arn:aws:s3:::restricted-bucket/{remote-file}" because no identity-based policy allows the s3:PutObject action
$ echo $?
1
Download
$ aws s3 cp 's3://restricted-bucket/{remote-file}' {my-local-file} --dryrun
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
$ echo $?
1
Reproduction Steps
create a bucket that has restrictive permissions to the test user
run the aws s3 cp commands as described (dryrun vs no dryrun)
observe the behavior
Possible Solution
the dryrun flag should validate whether or not the user has permissions to be able to perform the command. It should behave similarly to all other aws cli commands and return a proper error message and exit code
Additional Information/Context
No response
CLI version used
2.30.4
Environment details (OS name and version, etc.)
AWS Linux 2023.9.20251208