Rails Paperclip S3 Cannot delete uploaded files - ruby-on-rails

I'm using Rails 4.2 and Paperclip 4.3.0. Using AWS S3 for my static and uploaded files in production.
I can upload the file and view the uploaded files in my application, but, when i destroy my object model, the uploaded files is not deleted. The log says.
[AWS S3 403 0.004915 0 retries]
head_object(:bucket_name=>"test",:key=>"product_images/data/000/000/014/thumb/aoj_v1.jpg")
AWS::S3::Errors::Forbidden AWS::S3::Errors::Forbidden
Here is my bucket policy.
{
"Id": "Policy1442210342203",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1442210315335",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::test",
"arn:aws:s3:::test/*"
],
"Principal": {
"AWS": [
"arn:aws:iam::234289374982:root"
]
}
},
{
"Sid": "Stmt1442210338170",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::test",
"arn:aws:s3:::test/*"
],
"Principal": "*"
}
]
}
Any help would be great. Thanks!

Related

Set download to particular ip in s3 using bucket policy

I want to be able to allow test.tar file to be downloaded my these ips using this posted policy. Works perfectly for reading files.
{
"Version": "2008-10-17",
"Id": "S3PolicyIdRestricted",
"Statement": [
{
"Sid": "IPDeny",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mydomain/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"95.86.79.101",
"67.119.90.17"
]
}
}
}
]
}

403 Forbidden after processed variant of image Active Storage (s3)

I am using active storage (on s3) for saving resources of my app (rails). i need generate url for existing images with changed size - i used for it - Rails.application.routes.url_helpers.rails_representation_url(column.variant(resize: '250x250').processed, only_path: true, disposition: :inline)
But in this peace of code - column.variant(resize: '250x250').processed returns
Aws::S3::Errors::Forbidden (Aws::S3::Errors::Forbidden)
backet policy
{
"Version": "2012-10-17",
"Id": "Policy*****4140",
"Statement": [
{
"Sid": "Stmt*******38628",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my_project/*"
]
}
]
}
How can i fix it?

S3 "Access Denied" to Bucket

I try to allow one of our Devs (myapp-dev1) the access to one explicit S3-Bucket.
I created a policy which should allow CRUD options (he should be able to write and read image files into that bucket, and only into this.
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListObjects"
I created a User named dev1 and assigned him to that new policy (the user is not in a Group nor has a Role)
I created a Bucket named accordingly ARN: arn:aws:s3:::myapp-dev1-bucket
Then in this bucket I switched to "Bucket Policy" and used the "Policy Generator" and allowed every action for that moment. All other settings failed so far, this one too. It looks like this:
{
"Id": "Policy123456789",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt123456789",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::myapp-dev1-bucket",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/myapp-dev1"
]
}
}
]
}
But I still get an
Excon::Error::Forbidden: Expected(200) <=> Actual(403 Forbidden)
What I have done wrong?
What I am missing?
Does the User must also be allowed to list buckets?
Please help!
Try this,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::Bucket_Name"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListObject"
],
"Resource": [
"arn:aws:s3:::Bucket_Name/*"
]
}
]
}

Rails paperclip error `AWS::S3::Errors::BadRequest` on `exists?` and `clear`

all.
I've got everything working fine: images are being uploaded and can be accessed via Web with paperclip and S3, except when I log into rails c and type something like this:
> User.first.avatar.exists?
[AWS S3 400 0.093287 0 retries] head_object(:bucket_name=>"mozg-staging-static",:key=>"users/avatars/000/000/001/original/289736.jpg") AWS::S3::Errors::BadRequest AWS::S3::Errors::BadRequest
=> false
The same thing is with the clear method. Found no solution yet.
I have this permission policy:
{
"Sid": "Stmt1436958517000",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts",
"s3:ListObjects",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::mozg-staging-static",
"arn:aws:s3:::mozg-staging-static/*"
]
}
Thank you for support.
This could be a problem with your policy, can you try:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": ["arn:aws:s3:::mozg-staging-static"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::mozg-staging-static/*"]
}
]
}
The ListBucket action needs to be set at a bucket level, whereas the PutObject, GetObject and DeleteObject need to be set against objects in the bucket. I left out the other actions to keep the answer short. You will of course need to add them back in if they are required. You can find a list of actions and whether they are bucket or object actions here: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html

Access Denied for new bucket with same IAM, Cognito, and permission configuration

For the last month, I've been successfully using Cognito with the iOS SDK to upload and download files from an s3 bucket in my app. I recently created a new bucket in which to store the files instead, and I suddenly can't download anything (although uploads continue to work). I get this error:
Error downloading from S3: Error Domain=com.amazonaws.AWSS3ErrorDomain
Code=1 "The operation couldn’t be completed.
(com.amazonaws.AWSS3ErrorDomain error 1.)" UserInfo=0x157da330
{HostId=xlPbd8nAQvYPesh0JZ5yH7LFuV562FK85qd5MEgg3DNXn9U0m1K6e8kji
CsC4NXf, Code=AccessDenied, Message=Access Denied,
RequestId=EF39DF70A50540EA}
I'm using exactly the same configuration as I was with the old bucket, with the name of the new bucket changed where it needs to be.
Here's the Unauth IAM policy I've been using:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvent",
"cognito-sync:*"
],
"Resource": [
"*"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
And here's my bucket policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket_name/*"
}
]
}
The new bucket is the same region as the old. Right now, I'm at a complete loss as to what simply changing to a new bucket changed (and why uploads work, but downloads don't). If it's relevant, my files are now being stored in a subdirectory of the bucket, but I've updated all the key strings on the client. Thank you very much for your help.
I see your resource in the IAM policy is set to *. Try being explicit about the resource in your IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucketname"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
]
}
]
}

Resources