mainsocial
Reputation: 7823
S3 post InvalidPolicyDocument bucket-dependent?
I have direct HTML POSTing to an S3 bucket working for bucket A. If I keep all the code exactly the same but substitute and sign the policy for bucket B, Amazon returns an InvalidPolicyDocument error. Is there something about a bucket that needs to be enabled or set before it will accept posted objects?
Thanks in advance! Ben
ps. I have changed the bucket name both in the policy and in the upload URL.
pps. as requested, I traced both requests in Fiddler. Here are the requests and responses:
THE GOOD REQUEST:
REQUEST:
------------ae0KM7cH2cH2cH2Ij5Ef1cH2Ef1ae0
Content-Disposition: form-data; name="Filename"
Blue hills.jpg
------------ae0KM7cH2cH2cH2Ij5Ef1cH2Ef1ae0
Content-Disposition: form-data; name="key"
uploads/${filename}
------------ae0KM7cH2cH2cH2Ij5Ef1cH2Ef1ae0
Content-Disposition: form-data; name="signature"
STJNaC3bFVXD9VSUPhId41yw5+w=
------------ae0KM7cH2cH2cH2Ij5Ef1cH2Ef1ae0
Content-Disposition: form-data; name="AWSAccessKeyId"
0WDZ435HNTSCJ306SXR2
------------ae0KM7cH2cH2cH2Ij5Ef1cH2Ef1ae0
Content-Disposition: form-data; name="acl"
private
------------ae0KM7cH2cH2cH2Ij5Ef1cH2Ef1ae0
Content-Disposition: form-data; name="success_action_status"
201
------------ae0KM7cH2cH2cH2Ij5Ef1cH2Ef1ae0
Content-Disposition: form-data; name="policy"
eydjb25kaXRpb25zJzogW3snYnVja2V0JzogJzB3ZHo0MzVobnRzY2ozMDZzeHIyLXRlc3QtYnVja2V0J30sIFsnc3RhcnRzLXdpdGgnLCAnJGtleScsICd1cGxvYWRzLyddLCBbJ3N0YXJ0cy13aXRoJywgJyRGaWxlbmFtZScsICcnXSwgeydhY2wnOiAncHJpdmF0ZSd9LCB7J3N1Y2Nlc3NfYWN0aW9uX3N0YXR1cyc6ICcyMDEnfV0sICdleHBpcmF0aW9uJzogJzIwMDktMDYtMTBUMTg6MTc6NTlaJ30=
------------ae0KM7cH2cH2cH2Ij5Ef1cH2Ef1ae0
Content-Disposition: form-data; name="file"; filename="Blue hills.jpg"
Content-Type: application/octet-stream
RESPONSE:
<?xml version="1.0" encoding="UTF-8"?>
<PostResponse><Location>http://0wdz435hntscj306sxr2-test-bucket.s3.amazonaws.com/uploads%2FBlue+hills.jpg</Location><Bucket>0wdz435hntscj306sxr2-test-bucket</Bucket><Key>uploads/Blue hills.jpg</Key><ETag>"6fb2a38dc107eacb41cf1656e899cf70"</ETag></PostResponse>
THE BAD REQUEST:
REQUEST:
------------Ij5cH2cH2gL6gL6gL6Ij5Ij5GI3cH2
Content-Disposition: form-data; name="Filename"
Water lilies.jpg
------------Ij5cH2cH2gL6gL6gL6Ij5Ij5GI3cH2
Content-Disposition: form-data; name="policy"
eydjb25kaXRpb25zJzogW3snYnVja2V0JzogdScwd2R6NDM1aG50c2NqMzA2c3hyMi1tNGxiZXRhJ30sIFsnc3RhcnRzLXdpdGgnLCAnJGtleScsICd1cGxvYWRzLyddLCBbJ3N0YXJ0cy13aXRoJywgJyRGaWxlbmFtZScsICcnXSwgeydhY2wnOiAncHJpdmF0ZSd9LCB7J3N1Y2Nlc3NfYWN0aW9uX3N0YXR1cyc6ICcyMDEnfSwgeydDb250ZW50LVR5cGUnOiAnYXBwbGljYXRpb24vb2N0ZXQtc3RyZWFtJ31dLCAnZXhwaXJhdGlvbic6ICcyMDA5LTA2LTEwVDE4OjA5OjE0Wid9
------------Ij5cH2cH2gL6gL6gL6Ij5Ij5GI3cH2
Content-Disposition: form-data; name="key"
uploads/${filename}
------------Ij5cH2cH2gL6gL6gL6Ij5Ij5GI3cH2
Content-Disposition: form-data; name="signature"
u+pOKfpLrFaRhiP3lfTPbCyWl3I=
------------Ij5cH2cH2gL6gL6gL6Ij5Ij5GI3cH2
Content-Disposition: form-data; name="AWSAccessKeyId"
0WDZ435HNTSCJ306SXR2
------------Ij5cH2cH2gL6gL6gL6Ij5Ij5GI3cH2
Content-Disposition: form-data; name="acl"
private
------------Ij5cH2cH2gL6gL6gL6Ij5Ij5GI3cH2
Content-Disposition: form-data; name="success_action_status"
201
------------Ij5cH2cH2gL6gL6gL6Ij5Ij5GI3cH2
Content-Disposition: form-data; name="Content-Type"
application/octet-stream
------------Ij5cH2cH2gL6gL6gL6Ij5Ij5GI3cH2
Content-Disposition: form-data; name="file"; filename="Water lilies.jpg"
Content-Type: application/octet-stream
RESPONSE:
100
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidPolicyDocument</Code><Message>Invalid Policy: Invalid JSON.</Message><RequestId>2D883FC8947547AC</RequestId><HostId>G1r2SCbd87UmmlOU0hSY3/VTGGXBEmXdLXoxaGt4GJjpELBVHXtjn6PSAPhufLAC</HostId></Error>
0
Upvotes: 4
Views: 4538
Answers (2)
lampslave
Reputation: 1503
If you use one of the "100% compatible" services instead of original S3, check the order of keys in the policy, expiration must be first (as in the docs).
Upvotes: 0
Bryce Kahle
Reputation: 8227
Make sure you change the bucket name in both the action URL and in the policy document.
UPDATE
Here are the Base64 decoded versions of both policies:
GOOD
{
'conditions': [
{
'bucket': '0wdz435hntscj306sxr2-test-bucket'
},
['starts-with', '$key', 'uploads/'],
['starts-with', '$Filename', ''],
{
'acl': 'private'
},
{
'success_action_status': '201'
}
],
'expiration': '2009-06-10T18:17:59Z'
}
BAD
{
'conditions': [
{
'bucket': u'0wdz435hntscj306sxr2-m4lbeta'
},
['starts-with', '$key', 'uploads/'],
['starts-with', '$Filename', ''],
{
'acl': 'private'
},
{
'success_action_status': '201'
},
{
'Content-Type': 'application/octet-stream'
}
],
'expiration': '2009-06-10T18:09:14Z'
}
Somehow an extra "u" got stuck in the bucket line for the bad policy
Upvotes: 3
Related Questions
- amazon s3 invalid principal in bucket policy
- Incorrect S3 bucket policy is detected for bucket in CloudFormation
- S3 Invalid Resource in bucket policy
- AWS S3 Bucket Policy is not valid
- access denied when I attempt to upload to s3 with a signed post could it be the bucket policy?
- AWS S3 Post Object Rejects Extra Form Fields
- 'specified bucket does not exist ' error - S3 bucket with Policy disallow upload from particular IP
- Getting "Missing required field Principal" when adding policy to S3 bucket
- s3 bucket policy post
- s3 Bucket Policy Malformed error