Reputation: 1702
Access Denied upload to s3
I tried uploading to s3 and when I see the logs from the s3 bucket logs this is what it says:
mybucket-me [17/Oct/2013:08:18:57 +0000] 120.28.112.39
arn:aws:sts::778671367984:federated-user/[email protected] BB3AA9C408C0D26F
REST.POST.BUCKET avatars/dean%2540player.com/4.png "POST / HTTP/1.1" 403
AccessDenied 231 - 132 - "http://localhost:8080/ajaxupload/test.html" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17" -
I got an access denied. From where it's pointing I think the only thing that I'm missing out is adding of bucket policy. So here goes.
Using my email I could log in to my app and upload an avatar. The bucket name where I want to put my avatar is mybucket-me and in that it has a sub bucket named avatars.
-mybucket-me
-avatars
[email protected] //dynamic based on who are logged in
-myavatar.png //image uploaded
How do I add a bucket policy so I could grant a federated such as I to upload in s3 or what is the correct statement that I will add on my bucket policy so it could grant me a permission to upload into our bucket?
Upvotes: 21
Views: 58297
Answers (4)
Reputation: 111
if you are using programmatic access using credential or aws-sdk with any server then try to comment ACL:public-read then everything works fine without any changes if IAM has already permission to (crud) itself
enjoy ! no more google
Upvotes: 1
Reputation: 11067
2019+
You now either have to:
- Set Block new public ACLs and uploading public objects to false if your items are public (top left policie in the picture)
- Set
acl: 'private'when uploading your image if your items are private
Example in Node.js:
const upload = multer({
storage: multerS3({
s3: s3,
bucket: 'moodboard-img',
acl: 'private',
metadata: function (req, file, cb) {
cb(null, {fieldName: file.fieldname});
},
key: function (req, file, cb) {
cb(null, Date.now().toString())
}
})
})
Upvotes: 26
Reputation: 166389
To upload to S3 bucket, you need to Add/Create IAM/Group Policy, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
Where arn:aws:s3:::test is your Amazon Resource Name (ARN).
Source: Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
Related:
- Specifying Resources in a Policy
- How to provide a user to access only a particular bucket in AWS S3?
Upvotes: 12
Reputation: 7440
You can attach the following policy to the bucket:
{
"Version": "2008-10-17",
"Id": "Policy1358656005371",
"Statement": [
{
"Sid": "Stmt1354655992561",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:sts::778671367984:federated-user/[email protected]"
]
},
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::my.bucket",
"arn:aws:s3:::my.bucket/*"
]
}
]
}
to grant the federated user [email protected] read-only permissions to 'my.bucket'.
This policy is not very maintainable because it names this user in particular. To give access to only certain federated users in a more scalable way, it would be better to do this when you call GetFederationToken. If you post your STS code I can help you assigning the policy there, but it is very similar to the above.
Upvotes: 7
Related Questions
- AWS S3 browser upload getting Access Denied error
- "You don't have permission to upload files" - AWS S3 bucket
- AWS: s3 bucket policy does not give IAM user access to upload to bucket, throws 403 error
- Access denied when uploading a document, how to set permission profile and bucket policy?
- "Permission denied" exception when I try uploading to S3 bucket from EC2 instance
- access denied when putting a bucket policy
- Why S3 Bucket upload showing Options Request Denied?
- Access Denied Error uploading object to s3 bucket
- AWS S3 Bucket policy Access Denyed
- AWS bucket policy- permission denied