CODEWITHSUNDEEP
amazon-web-servicesamazon-s3aws-sdkamazon-cognitoamazon-iam
Ido Wolf
Ido Wolf

Reputation: 181

403 Forbidden during POST to S3 bucket

I'm following this tutorial to deploy a simple photo uploading service to an S3 bucket.

I created a new role with the following policy

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:*"
         ],
         "Resource": [
            "arn:aws:s3:::BUCKET_NAME/*"
         ]
      }
   ]
}

Granted all authorized AWS users list and read/write access in the bucket, set the following CORS

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>DELETE</AllowedMethod>
        <AllowedMethod>HEAD</AllowedMethod>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

Generated a new Cognito identity pool and ran the script in the link above. It runs successfully, it opens a new album and I can see it in the S3 console, but when I try to upload a photo into the album I get the error:

BUCKET_NAME.amazonaws.com/ALBUM_NAME//PHOTO_NAME.jpeg?uploads:1 POST https://BUCKET_NAME.amazonaws.com/ALBUM_NAME//PHOTO_NAME.jpeg?uploads 403 (Forbidden)

When I try to access the link generated by the script, I get this XML:

<Error>
<Code>InvalidRequest</Code>
<Message>
Key is not expected for the GET method ?uploads subresource
</Message>
<RequestId>******</RequestId>
<HostId>
******
</HostId>
</Error>

Any idea why this problem occurs?

Upvotes: 0

Views: 5038

Answers (4)

Miro
Miro

Reputation: 8650

This is old but just in case someone stumbles onto it when working with Cognito uploads.

In my case the problem was that the region of my S3 (us-east-1) is different than the Cognito server region (eu-west-1). Most examples online only set one region and the upload uses the same region by default.

So in Javascript, to authenticate you need to set the Cognito region:

AWS.config.region = 'eu-west-1'; // Cognito Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'eu-west-1:51a4f410-7694-4222-89b5-...',
});

Then before upload you set your S3 Bucket region:

var s3 = new AWS.S3({
  region: 'us-east-1', //Bucket region
  apiVersion: '2006-03-01',
  params: {Bucket: [BUCKET-NAME]}
});

Upvotes: 0

Chris Ranni
Chris Ranni

Reputation: 11

I too had the same issue. Instead of removing ACL:'public-read' I changed it to 'public-read-write' and it worked. I can only assume since the bucket policy is read write, trying to set it to read only caused a conflict...but just guessing.

Upvotes: 1

strongjz
strongjz

Reputation: 4491

You're missing part of the privileges for the s3 bucket.

In this example, you want to grant an IAM user in your AWS account access to one of your buckets, example bucket, and allow the user to add, update, and delete objects.

In addition to granting the s3:PutObject, s3:GetObject, and s3:DeleteObject permissions to the user, the policy also grants the s3:ListAllMyBuckets, s3:GetBucketLocation, and s3:ListBucket permissions. These are the additional permissions required by the console. For an example walkthrough that grants permissions to users and tests them using the console, see An Example Walkthrough: Using user policies to control access to your bucket.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":"arn:aws:s3:::examplebucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::examplebucket/*"
      }
   ]
}

http://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html

Upvotes: 1

perpil
perpil

Reputation: 1584

You are doing a HTTP POST, not a HTTP PUT. If you want to pass the key, you are supposed to use a PUT. If you want to do a POST, you need to pass the key in the body as described in this page.

Upvotes: 1

Related Questions