amazon-web-services visual-studio-code amazon-s3 aws-toolkit

Access Denied from S3 explorer

I'm evaluating S3 GUI alternatives. Starting with the S3 Explorer of the AWS Toolkit for VS Code, I want to display the contents of a bucket. I created a string object using the Java SDK, and I can see it using aws s3 ls s3://mybucket. But when I expand the S3 section in the explorer view of the AWS Toolkit I get

Failed to load resources (click for logs)

and in the log file

...
code: 'AccessDenied',
region: null,
time: 2023-11-28T14:26:07.355Z,
requestId: 'CB5GVTG1Q0TXJTWC',
extendedRequestId: '65sml50+g5jZ8PposW0TVODKc57tHhyKbxZqvfeBOj6nwKo8saDferYFTK7oY/EyLPPHbuvRIWE=', cfId: undefined,
statusCode: 403, ...

I noticed that the region is null. For aws configure I gave a default region. How to do that in VS Code? What else could I be missing?

EDIT: Here's a screen of the Explorer view:

This is the content of .aws\config:

[default]
region = eu-central-1

And .aws\credentials looks like this:

[default]
aws_access_key_id = MYACCESSKEYID
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXX

which I understand are also used by the AWS CLI that works as expected. This is from the log file:

2023-12-01 14:02:32 [ERROR]: [AccessDenied: Access Denied
    at constructor.extractError (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:42:10391)
    at constructor.callListeners (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:21245)
    at constructor.emit (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:20954)
    at constructor.emitEvent (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:6815)
    at constructor.I (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:2360)
    at G.runTo (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:53:1767)
    at c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:53:1979
    at constructor.<anonymous> (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:2571)
    at constructor.<anonymous> (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:6870)
    at constructor.callListeners (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:21349)
    at constructor.emit (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:20954)
    at constructor.emitEvent (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:6815)
    at constructor.I (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:2360)
    at G.runTo (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:53:1767)
    at c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:53:1979
    at constructor.<anonymous> (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:2571)
    at constructor.<anonymous> (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:6870)
    at constructor.callListeners (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:21349)
    at I (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:39:21130)
    at IncomingMessage.<anonymous> (c:\Users\siggi\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-1.100.0\dist\src\main.js:32:41916)
    at IncomingMessage.emit (node:events:525:35)
    at IncomingMessage.emit (node:domain:489:12)
    at endReadableNT (node:internal/streams/readable:1359:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)] {
  code: 'AccessDenied',
  region: null,
  time: 2023-12-01T13:02:32.993Z,
  requestId: '2T3HKNESNHYQY6TC',
  extendedRequestId: 'khcp9BedKWf28q/6iIVB+3M3EBFVT7bblfFmfRFWWSqOchCrR3QKozHCLB6Y085zoKQCK7r2PXw=',
  cfId: undefined,
  statusCode: 403,
  retryable: false,
  retryDelay: 14.865983225304946
}

Solution

Check that you can list S3 buckets

I can see it using aws s3 ls s3://mybucket

Does aws s3 ls (not aws s3 ls s3://...) list your buckets? AWS Toolkit needs permission to list all buckets. You may have permission to list the contents of a specific bucket, but cannot list all buckets.

Check your AWS region

When you connect the Explorer in AWS Toolkit, the Connected with ... label shows which profile is selected:

You can click the Connected with ... label, or run the vscode command AWS: Connect to AWS, to list all credentials that AWS Toolkit found, and where it found them.

If your profile in ~/.aws/ has a region=... item, AWS Toolkit will use that. Else it defaults to us-east-1.