AWS S3 Access Denied Error

Question

I am getting access denied error when I try to open a file I have hosted on my S3 bucket.

When my Django app tries to get the same file I get 403 Forbidden Error on my console.

I have made all the files public but still no luck.

I am getting this when I open a link to a file.

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>D4FCD94BD9DEE9F8</RequestId>
<HostId>
J9RtjMA4wk8kL4f+Ye/6XAQaXrfi9lz5HZ1tWRut8E5Qf/b8RAQbAF/fp3j2bep8Jfd+dtim/fs=
</HostId>
</Error>

My CORS Configuration is this

<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>Authorization</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

What should I do so that my static files get served properly ?

This is my bucket policy

{
    "Statement": [
        {
            "Sid": "PublicReadForGetBucketObjects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::****storage/*"
            ]
        },
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::****storage",
                "arn:aws:s3:::****storage/*"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::0084507*****:user/****"
                ]
            }
        }
    ]
}

The AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY in my settings.py are the ones I got for the user I created in AWS IAM management.

Answer 1

It is really not documented well, but you need two access statements.

In addition to the statement allowing the things you actually want done (GetObject to "arn:aws:s3:::****storage/*"), you also need a statement that allows ListBucket to the bucket itself, "arn:aws:s3:::****storage". Internally, the Aws client will try to list the bucket to determine it exists before doing its action.

The docs are bad, so it seems to be a common flailing to just add more and more permissions until something bleeping works.

With the second statement, it should look like:

{
    "Statement": [
        {
            "Sid": "PublicReadForGetBucketObjects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::storage/*"
            ]
        },
        {
            "Sid": "somethingElse",
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::storage",
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::0084507*****:user/****"
                ]
            }
        }
    ]
}

Note: If you're using IAM, you can skip the "Principal" part.