I'm using Rails 4.2 and Paperclip 4.3.0. Using AWS S3 for my static and uploaded files in production.
I can upload the file and view the uploaded files in my application, but, when i destroy my object model, the uploaded files is not deleted. The log says.
[AWS S3 403 0.004915 0 retries]
head_object(:bucket_name=>"test",:key=>"product_images/data/000/000/014/thumb/aoj_v1.jpg")
AWS::S3::Errors::Forbidden AWS::S3::Errors::Forbidden
Here is my bucket policy.
{
"Id": "Policy1442210342203",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1442210315335",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::test",
"arn:aws:s3:::test/*"
],
"Principal": {
"AWS": [
"arn:aws:iam::234289374982:root"
]
}
},
{
"Sid": "Stmt1442210338170",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::test",
"arn:aws:s3:::test/*"
],
"Principal": "*"
}
]
}
Any help would be great. Thanks!
Related
I want to be able to allow test.tar file to be downloaded my these ips using this posted policy. Works perfectly for reading files.
{
"Version": "2008-10-17",
"Id": "S3PolicyIdRestricted",
"Statement": [
{
"Sid": "IPDeny",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mydomain/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"95.86.79.101",
"67.119.90.17"
]
}
}
}
]
}
I am using active storage (on s3) for saving resources of my app (rails). i need generate url for existing images with changed size - i used for it - Rails.application.routes.url_helpers.rails_representation_url(column.variant(resize: '250x250').processed, only_path: true, disposition: :inline)
But in this peace of code - column.variant(resize: '250x250').processed returns
Aws::S3::Errors::Forbidden (Aws::S3::Errors::Forbidden)
backet policy
{
"Version": "2012-10-17",
"Id": "Policy*****4140",
"Statement": [
{
"Sid": "Stmt*******38628",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my_project/*"
]
}
]
}
How can i fix it?
I try to allow one of our Devs (myapp-dev1) the access to one explicit S3-Bucket.
I created a policy which should allow CRUD options (he should be able to write and read image files into that bucket, and only into this.
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListObjects"
I created a User named dev1 and assigned him to that new policy (the user is not in a Group nor has a Role)
I created a Bucket named accordingly ARN: arn:aws:s3:::myapp-dev1-bucket
Then in this bucket I switched to "Bucket Policy" and used the "Policy Generator" and allowed every action for that moment. All other settings failed so far, this one too. It looks like this:
{
"Id": "Policy123456789",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt123456789",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::myapp-dev1-bucket",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/myapp-dev1"
]
}
}
]
}
But I still get an
Excon::Error::Forbidden: Expected(200) <=> Actual(403 Forbidden)
What I have done wrong?
What I am missing?
Does the User must also be allowed to list buckets?
Please help!
Try this,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::Bucket_Name"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListObject"
],
"Resource": [
"arn:aws:s3:::Bucket_Name/*"
]
}
]
}
all.
I've got everything working fine: images are being uploaded and can be accessed via Web with paperclip and S3, except when I log into rails c and type something like this:
> User.first.avatar.exists?
[AWS S3 400 0.093287 0 retries] head_object(:bucket_name=>"mozg-staging-static",:key=>"users/avatars/000/000/001/original/289736.jpg") AWS::S3::Errors::BadRequest AWS::S3::Errors::BadRequest
=> false
The same thing is with the clear method. Found no solution yet.
I have this permission policy:
{
"Sid": "Stmt1436958517000",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts",
"s3:ListObjects",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::mozg-staging-static",
"arn:aws:s3:::mozg-staging-static/*"
]
}
Thank you for support.
This could be a problem with your policy, can you try:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": ["arn:aws:s3:::mozg-staging-static"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::mozg-staging-static/*"]
}
]
}
The ListBucket action needs to be set at a bucket level, whereas the PutObject, GetObject and DeleteObject need to be set against objects in the bucket. I left out the other actions to keep the answer short. You will of course need to add them back in if they are required. You can find a list of actions and whether they are bucket or object actions here: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
For the last month, I've been successfully using Cognito with the iOS SDK to upload and download files from an s3 bucket in my app. I recently created a new bucket in which to store the files instead, and I suddenly can't download anything (although uploads continue to work). I get this error:
Error downloading from S3: Error Domain=com.amazonaws.AWSS3ErrorDomain
Code=1 "The operation couldn’t be completed.
(com.amazonaws.AWSS3ErrorDomain error 1.)" UserInfo=0x157da330
{HostId=xlPbd8nAQvYPesh0JZ5yH7LFuV562FK85qd5MEgg3DNXn9U0m1K6e8kji
CsC4NXf, Code=AccessDenied, Message=Access Denied,
RequestId=EF39DF70A50540EA}
I'm using exactly the same configuration as I was with the old bucket, with the name of the new bucket changed where it needs to be.
Here's the Unauth IAM policy I've been using:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvent",
"cognito-sync:*"
],
"Resource": [
"*"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
And here's my bucket policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket_name/*"
}
]
}
The new bucket is the same region as the old. Right now, I'm at a complete loss as to what simply changing to a new bucket changed (and why uploads work, but downloads don't). If it's relevant, my files are now being stored in a subdirectory of the bucket, but I've updated all the key strings on the client. Thank you very much for your help.
I see your resource in the IAM policy is set to *. Try being explicit about the resource in your IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucketname"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
]
}
]
}