Reputation: 5283
S3 presigned url file upload – nodeJS + client
tl;dr – OPTIONS request made from the browser to a presigned url acquired from a server (AWS S3) gets 200, but the following PUT request get 403
This is my server-side code responsible for AWS and its S3 service:
const AWS = require('aws-sdk');
const config = {
accessKeyId: process.env.AWS_ACCESS_KEY_ID,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
region: process.env.AWS_BUCKET_REGION,
};
AWS.config.update(config);
const S3Bucket = new AWS.S3({
signatureVersion: 'v4',
params: { Bucket: process.env.AWS_BUCKET_NAME },
});
const uploadImage = async (fileData) => {
// fileData contains `name` and `type` properties
const Key = `images/${fileData.name}`;
const params = {
Bucket: process.env.AWS_BUCKET_NAME,
Key,
Expires: 15 * 60, // 15 minutes
ContentType: fileData.type,
ACL: 'public-read',
};
const url = await S3Bucket.getSignedUrlPromise('putObject', params);
return url;
};
The IAM User from the code above (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) has the following policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1418647210000",
"Effect": "Allow",
"Action": [
"s3:Put*"
],
"Resource": [
"arn:aws:s3:::my-actual-bucket-name-here/*"
]
}
]
}
My actual bucket has no Bucket policy set and has the following CORS configuration:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>HEAD</AllowedMethod>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
When I make a request from the browser to my server I get a signed URL in the response. Then I use this URL to perform a put request using the following code:
// `file` is a File class object (that inherits from `FilePrototype` which inherits from `BlobPrototype` that has the following attributes
// lastModified: 1556044130023
// name: "profile.jpg"
// size: 788956
// type: "image/jpeg"
// uid: "rc-upload-1578069253604-2"
// webkitRelativePath: ""
const url = 'https://my-actual-bucket.s3.eu-central-1.amazonaws.com/images/profile.jpg?Content-Type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=MYCREDENTIALCODE%2F20200103%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20200103T163418Z&X-Amz-Expires=900&X-Amz-Signature=b90ed9cbdfadc6401521f80f5d4a65e7d4182becd392ad274ffbe3405d626055&X-Amz-SignedHeaders=host%3Bx-amz-acl&x-amz-acl=public-read';
const response = await fetch(url, {
method: 'PUT',
body: file,
headers: {
'Content-Type': file.type,
},
});
In my Network tab I can see an OPTIONS request that ends up returning 200, and a following PUT request that ends up with 403 saying:
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>BFBCD6D538B3EB6A</RequestId><HostId>BtQuuVJw63Ixvir1ghCu0QLq/FKORNSIyyIh9AoYhul1TnsaoZZ1V0p/FBooM/0HTNhM7ZSegM8=</HostId></Error>
Any idea what am I doing wrong here?
Upvotes: 3
Views: 9515
Answers (1)
Reputation: 32240
You need to add the S3:GetObject permission to your IAM policy. This permission is required because the user (in this case the application) is ultimately granting others permission to "read" (get) an object via a pre-signed URL. Therefore, it also needs to have the "read" (get) permission.
Upvotes: 4
Related Questions
- Streaming uploading to S3 using presigned URL
- S3 file upload stream using node js
- Uploading objects to AWS S3 using presigned URLs
- upload file to s3 using nodejs
- Nodejs Amazon S3 File Upload
- Upload image to S3 using presigned URL
- AWS upload file from client to S3
- Uploading files to S3 using node.js
- nodejs - upload using fs.createReadStream, requestjs, streaming and AWS S3 presigned url throws error
- NodeJs - User upload to s3