Excon::Errors::Forbidden (Expected(200) <=> Actual(403 Forbidden)

Question

When I try to upload a picture to a "Car" object I'm denied access to S3. But the site images that are in the assets folder have displayed just fine since I added S3. The specific error that I get is this:

2015-02-17T14:40:48.459629+00:00 app[web.1]: Excon::Errors::Forbidden (Expected(200) <=> Actual(403 Forbidden)
2015-02-17T14:40:48.459630+00:00 app[web.1]: excon.error.response
2015-02-17T14:40:48.459635+00:00 app[web.1]:     "Connection"       => "close"
2015-02-17T14:40:48.459637+00:00 app[web.1]:     "Content-Type"     => "application/xml"
2015-02-17T14:40:48.459639+00:00 app[web.1]:     "Date"             => "Tue, 17 Feb 2015 14:40:48 GMT"
2015-02-17T14:40:48.459640+00:00 app[web.1]:     "Server"           => "AmazonS3"
2015-02-17T14:40:48.459632+00:00 app[web.1]:   :body          => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>2CE306ACD51F02A1</RequestId><HostId>tKLXUAKxyDFTMExl7kE+AuVVsEJOFqXh983li6N7R2UlYDXv1Z3GJRvW5zy1XIXVs2zArp310vg=</HostId></Error>"
2015-02-17T14:40:48.459642+00:00 app[web.1]:     "x-amz-id-2"       => ""part of secret key"="

With "part of secret key" obviously redacted. I've tried creating a different user and using new keys, but that hasn't worked. Not where to go from here.

app/uploaders/picture_uploader

class PictureUploader < CarrierWave::Uploader::Base
  include CarrierWave::MiniMagick
  process resize_to_limit: [400, 400]

  if Rails.env.production?
    storage :fog
  else
    storage :file
  end

  # Override the directory where uploaded files will be stored.
  # This is a sensible default for uploaders that are meant to be mounted:
  def store_dir
    "uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
  end

  # Add a white list of extensions which are allowed to be uploaded.
  def extension_white_list
    %w(jpg jpeg gif png)
  end
end

carrier_wave.rb

if Rails.env.production?
  CarrierWave.configure do |config|
    config.fog_credentials = {
      # Configuration for Amazon S3
      :provider              => 'AWS',
      :aws_access_key_id     => ENV['S3_ACCESS_KEY'],
      :aws_secret_access_key => ENV['S3_SECRET_KEY']
    }
    config.fog_directory     =  ENV['S3_BUCKET']
  end
end

I believe that's all of the relevant files, let me know if there's more to see. Not sure if specifying a region or a power user would help, doesn't seem like it would.

Answer 1

[EDIT: I'd default to the other answer at this point, especially if you're in a prod environment. This was a workaround that worked for me while building a breakable toy a few years back, but I agree with granting minimal permissions when security is a concern.]

I was encountering the same error, and the solution was to attach administrative access policies from the AWS Management Console:

1) Sign in to the AWS Management Console at http://aws.amazon.com/iam/

2) Click "Policies" from the Navigation Pane on the left

3) Select the "AdministratorAccess" policy

4) Click Policy Actions > Attach at the top of the page

5) Select the user associated with my S3_ACCESS_KEY, S3_SECRET_KEY, and S3_BUCKET

6) Click "Attach Policy"

Merely granting all permissions from my bucket at https://console.aws.amazon.com/s3/home was not sufficient.

Answer 2

The other answer telling you to grant AdministratorAccess on the IAM user is a bad idea from a security point of view - it will allow anyone with access to those keys to perform any action in your account, including deleting all infrastructure.

I haven't worked out the exact minimum set of permissions that Carrierwave / Fog needs, but a smaller set that I got working looks like:

Create an AWS IAM Policy with a policy document like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::BUCKETNAME/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::BUCKETNAME"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Note, that it is not an error to specify S3 actions on both BUCKETNAME and BUCKETNAME/* - the first relates to API actions that are performed on the bucket, and the second, on stored objects within the bucket.

Answer 3

如果您的存储桶不是公开的，请确保carrierwave.rb config.fog_public = false 。

Answer 4

I used this manual: https://medium.com/@mohit_22386/ruby-on-rails-aws-how-to-put-assets-on-aws-s3-and-fetch-using-cloudfront-84de9800ce3d

After setup I could add or remove files from bucket via software (DragonDisk). But i got the same error on assets:precompile. I just removed ACL's ckeckboxes on the Permissions > Public access settings page in bucket settings:

Also, I've used my main account, no IAM, so Rob Mulholand's aswer wasn't relevant for me.

Answer 5

A more minimal permission approach would be this one:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "<IAM user with programatic access>"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::BUCKETNAME"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "<IAM user with programatic access>"
            },
            "Action": [
                "s3:PutObjectAcl",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::BUCKETNAME/*"
        }
    ]
}

tl;dr: You also need the s3:PutObjectAcl permission.

(I did not check if it would even work without GetObject, DeleteObject permission because in my case I wanted to grant them anyway.)

Answer 6

Your configuration is correct. Suppose you have the bucket newly created. Here is what you should do.

1. Create an AIM user and attach AmazonECS_FullAccess to it by going to AIMs > Permissions > Add permissions .
2. Go to S3 > YourBucketName > Permissions .
3. Under the Permissions tab, scroll to Object Ownership and click the "Edit" button on the right. Select ACLs enabled , check the warning checkbox, and select Bucket owner preferred then click the "Save changes" button.
4. You will be directed back to the Permission tab. Scroll to the Access control list (ACL) section you see it is enabled. Leave the checkboxes as they are.
5. You can apply the policy in the Bucket Policy section. Leave it black if you don't need it.

Redeploy the app and done!!!