Reputation: 371
I've just started to work with Amazon S3 in my ASP.NET project. I can upload images, delete them, and show on browser. But when I was trying to get image-object from code-behind by a simple GetObjectRequest to load it to a simple stream, I've got an exeption "Access denied: The remote server returned an error: (403) Forbidden.". And it's very strange 'cause i can delete an object but have no access to get it?
Here is my Get Request code:
using (var client = new AmazonS3Client(Amazon.RegionEndpoint.EUWest1))
{
GetObjectRequest request = new GetObjectRequest
{
BucketName = bucketName,
Key = keyName
};
GetObjectResponse response = client.GetObject(request);
return response.ResponseStream;
}
Which doesn't work. And this DELETE request works correct
DeleteObjectRequest deleteObjectRequest = new DeleteObjectRequest
{
BucketName = bucketName,
Key = keyName
};
client.DeleteObject(deleteObjectRequest);
I think that it could be a problem with my bucket policy, but i don't understand what exactly
{
"Version": "2008-10-17",
"Id": "Policy1437483839592",
"Statement": [
{
"Sid": "Stmt1437483828676",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::ama.dyndns.tv/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"MyIP",
"MyTeammateIP"
]
}
}
},
{
"Sid": "Givenotaccessifrefererisnomysites",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::ama.dyndns.tv/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"MyIP",
"MyTeammateIP"
]
}
}
}
]
}
Upvotes: 2
Views: 5240
Reputation: 51
If the object does not exist and the executing code does not have ListBucket permission, then a 403 will be returned even if the calling code has getObject permissions.
Take a look at the permissions section: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
Upvotes: 3
Reputation: 179374
Your first bucket policy statement allows a GET
request when the Referer:
http request leader's value is present and matches one of the supplied values. (Note that this is is a very primitive access control mechanism, as the header is easily forged).
The second policy denies requests where the referer doesn't match any value from the supplied list.
The referer is nothing more than a request header sent by the browser or http user agent library. When you are sending your GET
request from code, there's not going to be a referer header present, unless you forge one yourself, as part of the request. Any matching Deny
policy overrides not only any matching Allow
policy... it also overrides any authentication credentials you supply. Hence, the problem.
If you don't set the acl on the object to something that allows public access (such as x-amz-acl: public-read
) then the Deny
policy is unnecessary. The object will not be downloadable in that case, because the deny is implicit unless the Allow
policy is matched or you provide valid authentication credentials. Everything is denied by default in S3 unless you allow it via the object permissions/acl, bucket policy, or IAM user policy, and even if you do, a matching explicit Deny
always prevails.
Upvotes: 2