stackoom
  简体   繁体   中英

AWS: s3 bucket policy does not give IAM user access to upload to bucket, throws 403 error

 原文  2022-01-28 12:37:29       amazon-web-services/ amazon-s3

Question

I have an S3 bucket that works perfectly with root credentials ( AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY ) to upload files to the bucket.

I have created an IAM user .
I tried to give this IAM user the privilege of uploading files to this bucket by creating this policy and attaching it to that bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::122xxxxxxxx28:user/iam-user-name"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket-name"
        }
    ]
}

However, when I try to upload a file, I get this error:

PUT https://bucket-name.s3.region-code.amazonaws.com/images/60ded1353752602bf4b364ee.jpeg?Content-Type=image%2F%2A&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIARZARRPPIBMVEWKUW%2F20220128%2Feu-west-3%2Fs3%2Faws4_request&X-Amz-Date=20220128T123229Z&X-Amz-Expires=300&X-Amz-Signature=dfdc3d92f6e52da5387c113ddd793990d1033fdd7318b42b2573594835c01643&X-Amz-SignedHeaders=host%3Bx-amz-acl&x-amz-acl=public-read 403 (Forbidden)

This is how the upload works:

  1. I generate a presigned-url in the backend:

    var getImageSignedUrl = async function (key) { return new Promise((resolve, reject) => { s3.getSignedUrl( "putObject", { Bucket: AWS_BUCKET_NAME, Key: key, ContentType: "image/*", ACL: "public-read", Expires: 300, }, (err, url) => { if (err) { reject(err); } else { resolve(url); } } ); }); };

  2. Then the file is uploaded in the frontend using that url:

    await axios.put(uploadConfig.url, file, { headers: { "Content-Type": file.type, "x-amz-acl": "public-read", }, transformRequest: (data, headers) => { delete headers.common["Authorization"]; return data; }, });

1 answers

solution1
 1  2022-01-28 13:01:12

You may need to replace:

"Resource": "arn:aws:s3:::bucket-name"

With:

"Resource": ["arn:aws:s3:::bucket-name","arn:aws:s3:::bucket-name/*"]

Actions like S3:PutObject apply to specific objects in the bucket like: bucket-name/image_1.png, so adding a wildcard resource enables access to those object operations.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS S3 Bucket Policy throws Access Denied Error IAM user policy returning 403 Forbidden on Amazon S3 bucket Access denied on AWS s3 bucket even with bucket and/or user policy IAM Policy to determine S3 Bucket access based on user tags Access is denied even if IAM user is specified in S3 bucket policy AWS IAM Policy to allow user access to specific S3 bucket for backup How to grant access only to the Root Account User for an S3 bucket with IAM Policy AWS? Why bucket policy does not provide IAM user to list s3 buckets even bucket policy is set for the user? How to give external AWS IAM user access to specific S3 Bucket folder AWS S3 IAM user can't access bucket
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM