Reputation: 677
AWS permissions can't putObject
sorry for the noob question but I am trying to upload files from my react node.js application to S3. I am using Uppy and Companion to handle uploads to S3.
I can upload my files just fine if my S3 permissions for
Block all public access
is unchecked (AKA, anyone in the public can use my bucket).
However, I obviously don't want this. From my understanding, I need to configure my
- IAM permissions
- Bucket policy permissions
- CORS settings
I am quite certain my CORS settings are fine, but no matter what I do I can't get my uploads to work when the Block all public access is checked. I keep getting a 403 Forbidden response. My permissions are:
IAM:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::MY_BUCKET_NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::MY_BUCKET_NAME/*"
}
]
}
Bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00000000000:user/MY_IAM_USERNAME"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::MY_BUCKET_NAME",
"arn:aws:s3:::MY_BUCKET_NAME/*"
]
}
]
}
CORS:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
I've been trying a combination of different settings, but no luck. I am wondering if it is something basic I'm doing wrong.
Thanks in advance
Upvotes: 0
Views: 1537
Answers (1)
Reputation: 68715
An explicity deny overrrides an explicit Allow as per IAM policy rules. So if you check the "Block all public access" , which is the default security on a newly created S3, means you are explicitly denying any public access.
Amazon S3 provides block public access settings for buckets and accounts to help you manage public access to Amazon S3 resources. By default, new buckets and objects don't allow public access, but users can modify bucket policies or object permissions to allow public access. Amazon S3 block public access settings override these policies and permissions so that you can limit public access to these resources. With Amazon S3 block public access, account administrators and bucket owners can easily set up centralized controls to limit public access to their Amazon S3 resources that are enforced regardless of how the resources are created.
Using Amazon S3 Block Public Access
Upvotes: 1
Related Questions
- An error occurred (AccessDenied) when calling the PutObject operation: Access Denied but works on my system
- Axios AWS S3 Put Object: Error: Network Error
- A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied
- Upload to AWS S3 got 403 Forbidden - Solved by remove "ACL" in param
- aws s3 putObject error MissingRequiredParameter
- S3 PutObject Access Denied when deploying to
- s3.putObject returns 400 bad request error
- AWS IAM not allowing PutObject
- aws-sdk putObject Access Denied Request.extractError
- Amazon S3 Put Object 403 Forbidden Error