Reputation: 4439
Amazon S3: 403 forbidden "Invalid according to policy: policy expired" (Ruby)
I am using the Froala HTML editor to upload images directly to an Amazon S3 bucket. It has been working perfectly fine for the last several months. I have not changed anything on the development side.
About a day ago, all my image uploads to Amazon S3 started failing and getting a 403 "Invalid according to policy: policy expired" response.
I realized my bucket didn't have a policy, and was using the old ACL for permissions (my understanding is that policies are replacing ACL?).
I updated my policy using the Amazon policy generator, and I'm still getting the 403.
I tried setting the policy to public just trying to get it to work (note that I've removed anything I thought was sensitive):
{
"Version": "2012-10-17",
"Id": "Policy123...",
"Statement": [
{
"Sid": "Stmt123...",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
}
]
}
From my understanding, this policy should allow full public access to the bucket for any action. Obviously I don't want this for production, but I'm just trying to get it to work again.
However, I still get a 403 "policy expired".
I've seen some other posts about updating computer clocks, but I haven't changed anything on my computer or the servers and I don't have an expiration set in my policy, so I'm not sure why that would matter.
The Amazon S3 console even warns me that I have set public access on the bucket, so I know that the policy is at least "somewhat" working.
Questions
- If I update the Amazon S3 policy, do I need to update my application
accessKeyorsecretKeythat I use to sign uploads? - Is there anything I can try to explicitly remove a policy expiration? My users will be uploading images, and I don't want the application "user" to expire, it should always be valid?
Upvotes: 0
Views: 1420
Answers (1)
Reputation: 178966
This error refers to a different policy -- not the bucket policy, but rather the expiration timestamp of the signed policy statement included in the HTML form being used to send a POST upload. It sounds like you are saying that this is you doing uploads, not visitors to a web site, which leads me to assume that this is how your "Froala HTML editor" is uploading your content to S3...
This suggests that your workstation's system clock is incorrect, or perhaps that the clock appears to be correct, but the actual system time zone setting is wrong.
An example of the latter issue, assume you are in America/Los_Angeles and your system clock shows the time as 08:00, which agrees with your wall clock; however, if your system time zone is incorrectly set to America/New_York, your system clock is in fact reflecting a time that is three hours behind the current time, causing your signed uploads to have expiration timestamps 3 hours earlier than intended -- potentially expiring in the past, thus invalid and rejected by S3 as having an expired policy.
Upvotes: 1
Related Questions
- 403 Forbidden Issue in Amazon S3
- Aws::S3::Errors::AccessDenied: Access Denied
- Trying to set up Amazon's S3 bucket: 403 Forbidden error & setting permissions
- Access denied with root user s3, with Ruby on Rails
- Aws::S3::Errors::AccessDenied when trying to write using rails apps
- Ruby Amazon S3 Access Denied when listing buckets
- Amazon S3 configuration always returns 403 Forbidden
- S3 "Invalid according to Policy: Policy expired"
- AWS::S3::Errors::InvalidAccessKeyId
- Amazon S3 GET object Access Denied