I've recently inherited a Rails app that uses S3 for storage of assets. I have transferred all assets to my S3 bucket with no issues. However, when I alter the app to point to the new bucket I get 403 Forbidden Status.
My S3 bucket is set up with the following settings:
Permissions
Everyone can list
Bucket Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PublicReadGetObject", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucketname/*" } ] }
CORS Configuration
<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <MaxAgeSeconds>3000</MaxAgeSeconds> </CORSRule> <CORSRule> <AllowedOrigin>https://www.appdomain.com</AllowedOrigin> <AllowedMethod>PUT</AllowedMethod> <AllowedMethod>POST</AllowedMethod> <AllowedMethod>DELETE</AllowedMethod> <AllowedHeader>*</AllowedHeader> </CORSRule> </CORSConfiguration>
Static Web Hosting
Enabled.
What else can I do to allow the public to reach these assets?
If you're getting Access Denied errors on public read requests that are allowed, check the bucket's Amazon S3 Block Public Access settings. Review the S3 Block Public Access settings at both the account and bucket level. These settings can override permissions that allow public read access.
Verify that the AWS Identity and Access Management (IAM) user or role that you're using has permissions for the s3:PutObject action on the bucket. Without this permission, you get an HTTP 403 Forbidden error.
Review the IAM permissions boundaries that are set on the IAM identities that are trying to access the bucket. Confirm that the IAM permissions boundaries allow access to Amazon S3. If your users are getting Access Denied errors on public read requests that should be allowed, check the bucket's Amazon S3 block public access settings.
In addition, during the upload, if we try to modify the object’s ACL, the IAM user or role must have permissions for the s3:PutObjectAcl action. We need permission to access an S3 bucket that uses default encryption with a custom AWS KMS key. To get the permission, a key administrator must grant it on the key policy.
Amazon S3 Block Public Access can apply to individual buckets or AWS accounts. Review the credentials that your users have configured to access Amazon S3. AWS SDKs and the AWS CLI must be configured to use the credentials of the IAM user or role with access to your bucket.
I know this is an old thread, but I just encountered the same problem. I had everything working for months and it just suddenly stopped working giving me a 403 Forbidden
error. It turns out the system clock was the real culprit. I think s3 uses some sort of time-based token that has a very short lifespan. And in my case I just ran:
ntpdate pool.ntp.org
And the problem went away. I'm running CentOS 6
if it's of any relevance. This was the sample output:
19 Aug 20:57:15 ntpdate[63275]: step time server ip_address offset 438.080758 sec
Hope in helps!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With