[英]Excon::Errors::Forbidden (Expected(200) <=> Actual(403 Forbidden)
When I try to upload a picture to a "Car" object I'm denied access to S3.当我尝试将图片上传到“汽车”对象时,我被拒绝访问 S3。 But the site images that are in the assets folder have displayed just fine since I added S3.但是自从我添加 S3 以来,资产文件夹中的站点图像显示得很好。 The specific error that I get is this:我得到的具体错误是:
2015-02-17T14:40:48.459629+00:00 app[web.1]: Excon::Errors::Forbidden (Expected(200) <=> Actual(403 Forbidden)
2015-02-17T14:40:48.459630+00:00 app[web.1]: excon.error.response
2015-02-17T14:40:48.459635+00:00 app[web.1]: "Connection" => "close"
2015-02-17T14:40:48.459637+00:00 app[web.1]: "Content-Type" => "application/xml"
2015-02-17T14:40:48.459639+00:00 app[web.1]: "Date" => "Tue, 17 Feb 2015 14:40:48 GMT"
2015-02-17T14:40:48.459640+00:00 app[web.1]: "Server" => "AmazonS3"
2015-02-17T14:40:48.459632+00:00 app[web.1]: :body => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>2CE306ACD51F02A1</RequestId><HostId>tKLXUAKxyDFTMExl7kE+AuVVsEJOFqXh983li6N7R2UlYDXv1Z3GJRvW5zy1XIXVs2zArp310vg=</HostId></Error>"
2015-02-17T14:40:48.459642+00:00 app[web.1]: "x-amz-id-2" => ""part of secret key"="
With "part of secret key" obviously redacted. “部分秘密密钥”明显被删节了。 I've tried creating a different user and using new keys, but that hasn't worked.我试过创建不同的用户并使用新密钥,但这没有用。 Not where to go from here.不是从这里去哪里。
app/uploaders/picture_uploader应用程序/上传者/picture_uploader
class PictureUploader < CarrierWave::Uploader::Base
include CarrierWave::MiniMagick
process resize_to_limit: [400, 400]
if Rails.env.production?
storage :fog
else
storage :file
end
# Override the directory where uploaded files will be stored.
# This is a sensible default for uploaders that are meant to be mounted:
def store_dir
"uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
end
# Add a white list of extensions which are allowed to be uploaded.
def extension_white_list
%w(jpg jpeg gif png)
end
end
carrier_wave.rb carrier_wave.rb
if Rails.env.production?
CarrierWave.configure do |config|
config.fog_credentials = {
# Configuration for Amazon S3
:provider => 'AWS',
:aws_access_key_id => ENV['S3_ACCESS_KEY'],
:aws_secret_access_key => ENV['S3_SECRET_KEY']
}
config.fog_directory = ENV['S3_BUCKET']
end
end
I believe that's all of the relevant files, let me know if there's more to see.我相信这就是所有相关文件,如果还有更多要看的,请告诉我。 Not sure if specifying a region or a power user would help, doesn't seem like it would.不确定指定区域或高级用户是否有帮助,似乎不会。
[EDIT: I'd default to the other answer at this point, especially if you're in a prod environment. [编辑:此时我默认使用另一个答案,特别是如果您处于生产环境中。 This was a workaround that worked for me while building a breakable toy a few years back, but I agree with granting minimal permissions when security is a concern.]这是一种解决方法,在几年前制作易碎玩具时对我有用,但我同意在考虑安全问题时授予最低权限。]
I was encountering the same error, and the solution was to attach administrative access policies from the AWS Management Console:我遇到了同样的错误,解决方案是从 AWS 管理控制台附加管理访问策略:
1) Sign in to the AWS Management Console at http://aws.amazon.com/iam/ 1) 通过http://aws.amazon.com/iam/登录 AWS 管理控制台
2) Click "Policies" from the Navigation Pane on the left 2) 单击左侧导航窗格中的“策略”
3) Select the "AdministratorAccess" policy 3) 选择“AdministratorAccess”策略
4) Click Policy Actions > Attach at the top of the page 4) 单击页面顶部的策略操作 > 附加
5) Select the user associated with my S3_ACCESS_KEY, S3_SECRET_KEY, and S3_BUCKET 5) 选择与我的 S3_ACCESS_KEY、S3_SECRET_KEY 和 S3_BUCKET 关联的用户
6) Click "Attach Policy" 6) 点击“附加策略”
Merely granting all permissions from my bucket at https://console.aws.amazon.com/s3/home was not sufficient.仅从https://console.aws.amazon.com/s3/home 的存储桶中授予所有权限是不够的。
The other answer telling you to grant AdministratorAccess on the IAM user is a bad idea from a security point of view - it will allow anyone with access to those keys to perform any action in your account, including deleting all infrastructure.从安全角度来看,另一个告诉您授予 IAM 用户管理员访问权限的答案是一个坏主意 - 它允许任何有权访问这些密钥的人在您的账户中执行任何操作,包括删除所有基础设施。
I haven't worked out the exact minimum set of permissions that Carrierwave / Fog needs, but a smaller set that I got working looks like:我还没有计算出 Carrierwave / Fog 需要的确切的最小权限集,但是我得到的一个较小的集看起来像:
Create an AWS IAM Policy with a policy document like:使用如下策略文档创建 AWS IAM 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::BUCKETNAME/*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::BUCKETNAME"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
}
]
}
Note, that it is not an error to specify S3 actions on both BUCKETNAME
and BUCKETNAME/*
- the first relates to API actions that are performed on the bucket, and the second, on stored objects within the bucket.请注意,在BUCKETNAME
和BUCKETNAME/*
上指定 S3 操作并不是错误 - 第一个与在存储桶上执行的 API 操作相关,第二个与存储在存储桶中的对象相关。
如果您的存储桶不是公开的,请确保carrierwave.rb
config.fog_public = false
。
I used this manual: https://medium.com/@mohit_22386/ruby-on-rails-aws-how-to-put-assets-on-aws-s3-and-fetch-using-cloudfront-84de9800ce3d我使用了本手册: https : //medium.com/@mohit_22386/ruby-on-rails-aws-how-to-put-assets-on-aws-s3-and-fetch-using-cloudfront-84de9800ce3d
After setup I could add or remove files from bucket via software (DragonDisk).设置后,我可以通过软件(DragonDisk)从存储桶中添加或删除文件。 But i got the same error on assets:precompile.但是我在资产上遇到了同样的错误:预编译。 I just removed ACL's ckeckboxes on the Permissions > Public access settings page in bucket settings:我刚刚在存储桶设置中的“权限”>“公共访问设置”页面上删除了 ACL 的复选框:
Also, I've used my main account, no IAM, so Rob Mulholand's aswer wasn't relevant for me.另外,我使用了我的主帐户,没有 IAM,所以 Rob Mulholand 的答案与我无关。
A more minimal permission approach would be this one:一种更小的权限方法是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<IAM user with programatic access>"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::BUCKETNAME"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "<IAM user with programatic access>"
},
"Action": [
"s3:PutObjectAcl",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::BUCKETNAME/*"
}
]
}
tl;dr: You also need the s3:PutObjectAcl permission. tl;dr:您还需要 s3:PutObjectAcl 权限。
(I did not check if it would even work without GetObject, DeleteObject permission because in my case I wanted to grant them anyway.) (我没有检查它是否可以在没有 GetObject、DeleteObject 权限的情况下工作,因为在我的情况下,我无论如何都想授予它们。)
Your configuration is correct.您的配置是正确的。 Suppose you have the bucket newly created.假设您有新创建的存储桶。 Here is what you should do.这是你应该做的。
AmazonECS_FullAccess
to it by going to AIMs > Permissions > Add permissions
.创建一个 AIM 用户并通过转到AmazonECS_FullAccess
AIMs > Permissions > Add permissions
将 AmazonECS_FullAccess 附加到它。S3 > YourBucketName > Permissions
.转到S3 > YourBucketName > Permissions
。Object Ownership
and click the "Edit" button on the right.在“权限”选项卡下,滚动到“ Object Ownership
”并单击右侧的“编辑”按钮。 Select ACLs enabled
, check the warning checkbox, and select Bucket owner preferred
then click the "Save changes" button.选择ACLs enabled
,选中警告复选框,然后选择Bucket owner preferred
然后单击“Save changes”按钮。Access control list (ACL)
section you see it is enabled.滚动到您看到它已启用的Access control list (ACL)
部分。 Leave the checkboxes as they are.保持复选框不变。Bucket Policy
section.您可以在Bucket Policy
部分应用该策略。 Leave it black if you don't need it.如果您不需要它,请将其保留为黑色。Redeploy the app and done!!!重新部署应用程序并完成!!!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.