Login/Register
Amazon s3 – 403 Forbidden with Correct Bucket Policy
Asked Answered
amazon-web-servicesamazon-s3permissionss3cmd
T

4

6

I'm trying to make all of the images I've stored in my s3 bucket publicly readable, using the following bucket policy. 

{
"Id": "Policy1380877762691",
"Statement": [
    {
        "Sid": "Stmt1380877761162",
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::<bucket-name>/*",
        "Principal": {
            "AWS": [
                "*"
            ]
        }
    }
]

}

I have 4 other similar s3 buckets with the same bucket policy, but I keep getting 403 errors.

The images in this bucket were transferred using s3cmd sync as I'm trying to migrate the contents of the bucket to a new account.

The only difference that I can see is that

  1. i'm using an IAM user with admin access, instead of the root user
  2. the files dont have a "grantee : everyone open/download file" permission on each of the files, something the files had in the old bucket
Tyrannize answered 23/7, 2015 at 16:26 Comment(1)
One thing to bear in mind is that if you have grantee Everyone open/download on the object, you don't need any bucket policy to make that work, so your existing policy may in fact be wrong and doing nothing useful.Ogive
C
2

If you want everyone to access your S3 objects in the bucket, the principal should be "*", i.e., like this:

{
"Id": "Policy1380877762691",
"Statement": [
    {
        "Sid": "Stmt1380877761162",
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::<bucket-name>/*",
        "Principal": "*"
        }
    }
]

}

Source: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html#Principal

Cachalot answered 23/7, 2015 at 17:58 Comment(3)
Just tried that, same issue – 403 error Access Denied. I've tried a couple different permutations of that policy all to no avail.Commutual
That's odd. I have similar policies on some of my S3 buckets and it does work. The only difference that I can spot is that you don't have the "Version":"2012-10-17" in your bucket policy. Maybe give that a try?Cachalot
Same, on my other buckets the policy works. Something got lost in the transfer between buckets it seems. And aside from the grantee : everyone permissions on each object, nothing else is configured differently.Commutual
T
2

I've managed to solve it by running the s3cmd command again but adding --acl-public to the end of it. Seems to have fixed my issue

Tyrannize answered 24/7, 2015 at 21:2 Comment(0)
G
1

I Know this is an old question, but for whoever is having this issue and working from the AWS Console. Go to the bucket in AWS S3 console:

  1. Open the permissions tab.
  2. Open Public Access settings.
  3. Click edit

enter image description here

Then in the editing page :

  1. Uncheck Block new public bucket policies (Recommended)
  2. Uncheck Block public and cross-account access if bucket has public policies (Recommended)
  3. Click save

enter image description here

CAUTION

PLEASE NOTE THAT THIS WILL MAKE YOUR BUCKET ACCESSIBLE BY ANYONE ON THE INTERNET, EVENT IF THEY DO NOT HAVE AN AWS ACCOUNT, THEY STILL CAN ACCESS THE BUCKET AND THE BUCKET'S CONTENTS. PLEASE HANDLE WITH CAUTION!

Gondi answered 20/12, 2018 at 3:14 Comment(1)
+1: fixed my issue after I disabled "Block publich and cross-account access". Another option "Block new publich bucket policies" was already disabled to allow to save policy. I am new to AWS, but it helped me to get some progress on static website setupDavis
F
0

From AWS Documentation
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

Not sure if the order or attributes matter here. I would give this one a try.

Flexile answered 23/7, 2015 at 19:50 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.