Franky_frankly
Franky_frankly

Reputation: 371

Amazon S3: GetObject Request throwing an exception "Access denied" 403

I've just started to work with Amazon S3 in my ASP.NET project. I can upload images, delete them, and show on browser. But when I was trying to get image-object from code-behind by a simple GetObjectRequest to load it to a simple stream, I've got an exeption "Access denied: The remote server returned an error: (403) Forbidden.". And it's very strange 'cause i can delete an object but have no access to get it?

Here is my Get Request code:

using (var client = new AmazonS3Client(Amazon.RegionEndpoint.EUWest1))
{
    GetObjectRequest request = new GetObjectRequest
    {
       BucketName = bucketName,
       Key = keyName
    };
    GetObjectResponse response = client.GetObject(request);
    return response.ResponseStream;
}

Which doesn't work. And this DELETE request works correct

DeleteObjectRequest deleteObjectRequest = new DeleteObjectRequest
{
   BucketName = bucketName,
   Key = keyName
};
client.DeleteObject(deleteObjectRequest);

I think that it could be a problem with my bucket policy, but i don't understand what exactly

{
  "Version": "2008-10-17",
  "Id": "Policy1437483839592",
  "Statement": [
    {
      "Sid": "Stmt1437483828676",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::ama.dyndns.tv/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "MyIP",
            "MyTeammateIP"
          ]
        }
      }
    },
    {
      "Sid": "Givenotaccessifrefererisnomysites",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::ama.dyndns.tv/*",
      "Condition": {
        "StringNotLike": {
          "aws:Referer": [
            "MyIP",
            "MyTeammateIP"
          ]
        }
      }
    }
  ]
}

Upvotes: 2

Views: 5240

Answers (2)

Steven Muschler
Steven Muschler

Reputation: 51

If the object does not exist and the executing code does not have ListBucket permission, then a 403 will be returned even if the calling code has getObject permissions.

Take a look at the permissions section: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html

Upvotes: 3

Michael - sqlbot
Michael - sqlbot

Reputation: 179374

Your first bucket policy statement allows a GET request when the Referer: http request leader's value is present and matches one of the supplied values. (Note that this is is a very primitive access control mechanism, as the header is easily forged).

The second policy denies requests where the referer doesn't match any value from the supplied list.

The referer is nothing more than a request header sent by the browser or http user agent library. When you are sending your GET request from code, there's not going to be a referer header present, unless you forge one yourself, as part of the request. Any matching Deny policy overrides not only any matching Allow policy... it also overrides any authentication credentials you supply. Hence, the problem.

If you don't set the acl on the object to something that allows public access (such as x-amz-acl: public-read) then the Deny policy is unnecessary. The object will not be downloadable in that case, because the deny is implicit unless the Allow policy is matched or you provide valid authentication credentials. Everything is denied by default in S3 unless you allow it via the object permissions/acl, bucket policy, or IAM user policy, and even if you do, a matching explicit Deny always prevails.

Upvotes: 2

Related Questions