Develop Reference

S3 "Access Denied" to Bucket

I try to allow one of our Devs (myapp-dev1) the access to one explicit S3-Bucket.
I created a policy which should allow CRUD options (he should be able to write and read image files into that bucket, and only into this.
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListObjects"
I created a User named dev1 and assigned him to that new policy (the user is not in a Group nor has a Role)
I created a Bucket named accordingly ARN: arn:aws:s3:::myapp-dev1-bucket
Then in this bucket I switched to "Bucket Policy" and used the "Policy Generator" and allowed every action for that moment. All other settings failed so far, this one too. It looks like this:
{
"Id": "Policy123456789",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt123456789",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::myapp-dev1-bucket",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/myapp-dev1"
]
}
}
]
}
But I still get an
Excon::Error::Forbidden: Expected(200) <=> Actual(403 Forbidden)
What I have done wrong?
What I am missing?
Does the User must also be allowed to list buckets?
Please help!

Try this,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::Bucket_Name"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListObject"
],
"Resource": [
"arn:aws:s3:::Bucket_Name/*"
]
}
]
}

Rails Paperclip S3 Cannot delete uploaded files

I'm using Rails 4.2 and Paperclip 4.3.0. Using AWS S3 for my static and uploaded files in production.
I can upload the file and view the uploaded files in my application, but, when i destroy my object model, the uploaded files is not deleted. The log says.
[AWS S3 403 0.004915 0 retries]
head_object(:bucket_name=>"test",:key=>"product_images/data/000/000/014/thumb/aoj_v1.jpg")
AWS::S3::Errors::Forbidden AWS::S3::Errors::Forbidden
Here is my bucket policy.
{
"Id": "Policy1442210342203",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1442210315335",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::test",
"arn:aws:s3:::test/*"
],
"Principal": {
"AWS": [
"arn:aws:iam::234289374982:root"
]
}
},
{
"Sid": "Stmt1442210338170",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::test",
"arn:aws:s3:::test/*"
],
"Principal": "*"
}
]
}
Any help would be great. Thanks!

Rails paperclip error `AWS::S3::Errors::BadRequest` on `exists?` and `clear`

all.
I've got everything working fine: images are being uploaded and can be accessed via Web with paperclip and S3, except when I log into rails c and type something like this:
> User.first.avatar.exists?
[AWS S3 400 0.093287 0 retries] head_object(:bucket_name=>"mozg-staging-static",:key=>"users/avatars/000/000/001/original/289736.jpg") AWS::S3::Errors::BadRequest AWS::S3::Errors::BadRequest
=> false
The same thing is with the clear method. Found no solution yet.
I have this permission policy:
{
"Sid": "Stmt1436958517000",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts",
"s3:ListObjects",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::mozg-staging-static",
"arn:aws:s3:::mozg-staging-static/*"
]
}
Thank you for support.

This could be a problem with your policy, can you try:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": ["arn:aws:s3:::mozg-staging-static"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::mozg-staging-static/*"]
}
]
}
The ListBucket action needs to be set at a bucket level, whereas the PutObject, GetObject and DeleteObject need to be set against objects in the bucket. I left out the other actions to keep the answer short. You will of course need to add them back in if they are required. You can find a list of actions and whether they are bucket or object actions here: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html

Access Denied for new bucket with same IAM, Cognito, and permission configuration

For the last month, I've been successfully using Cognito with the iOS SDK to upload and download files from an s3 bucket in my app. I recently created a new bucket in which to store the files instead, and I suddenly can't download anything (although uploads continue to work). I get this error:
Error downloading from S3: Error Domain=com.amazonaws.AWSS3ErrorDomain
Code=1 "The operation couldn’t be completed.
(com.amazonaws.AWSS3ErrorDomain error 1.)" UserInfo=0x157da330
{HostId=xlPbd8nAQvYPesh0JZ5yH7LFuV562FK85qd5MEgg3DNXn9U0m1K6e8kji
CsC4NXf, Code=AccessDenied, Message=Access Denied,
RequestId=EF39DF70A50540EA}
I'm using exactly the same configuration as I was with the old bucket, with the name of the new bucket changed where it needs to be.
Here's the Unauth IAM policy I've been using:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvent",
"cognito-sync:*"
],
"Resource": [
"*"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
And here's my bucket policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket_name/*"
}
]
}
The new bucket is the same region as the old. Right now, I'm at a complete loss as to what simply changing to a new bucket changed (and why uploads work, but downloads don't). If it's relevant, my files are now being stored in a subdirectory of the bucket, but I've updated all the key strings on the client. Thank you very much for your help.

I see your resource in the IAM policy is set to *. Try being explicit about the resource in your IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucketname"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
]
}
]
}

AWS S3 bucket policy - how to allow access only from my website?

I have a paperclip text file attachment (in Rails).
My bucket policy is:
{
"Version": "2008-10-17",
"Id": "Policy123",
"Statement": [
{
"Sid": "Stmt123",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my_bucket/*"
}
]
}
I want to restrict access to these actions to only be allowed when the request comes from my website. Is it simply a case of updating this to: "Principal": {"AWS": "mywebsite.com"} ?

You can check some examples in S3 Documentations
To restrict the access from your web site, you can use the condition on Referrer:
{
"Version":"2008-10-17",
"Id":"http referer policy example",
"Statement":[
{
"Sid":"Allow get requests referred by www.mysite.com and mysite.com",
"Effect":"Allow",
"Principal":"*",
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::example-bucket/*",
"Condition":{
"StringLike":{
"aws:Referer":[
" http://www.mysite.com/*",
" http://mysite.com/*"
]
}
}
}
]
}

Bucket policy :
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00000000:user/example-user" // IAM User ARN
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-example/*", // bucket ARN
"Condition": {
"StringLike": {
"aws:Referer": [
"http://example.com/*" // Website link
]
}
}
}
]
}