I'm new to AWS, so I'm sure I'm just missing a setting somewhere. Currently I have direct upload to S3 set up on my Rails App, which works. When I upload an image to my app the JS triggers, I've overcome the CORS issues, and the image appears in my S3 console. Yay.
The problem is when I try to view the image. When I go to the image url generated (as returned by S3, and confirmed by the tree structure in the console) I get a 403 HTTP response and fun XML error (which I looked up and have only found associated with InvalidPayer
, which I can't find any reference to anywhere except here):
<Error>
<Code>AllAccessDisabled</Code>
<Message>All access to this object has been disabled</Message>
<RequestId>DF2E5FCE3EF9A8A9</RequestId>
<HostId>
BRqoJ5qxtYfe4ykFCxJftgghNbHvmp/hZQggrLszOwxz2oCje8gCLmZFex0Zebu8k/O+1cSJyic=
</HostId>
</Error>
Fun for all! I've been looking around and I've discovered that I probably need to both set up permissions for my IAM user, as well as set bucket permissions so that other people can get to the image. So I've gone to my user's IAM permissions and added AmazonS3FullAccess
, which seemed the obvious and most comprehensive choice. Further, I went to my bucket to set permissions for everyone else and specified the following:
{
"Id": "PolicyIdHere",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StmtIdHere",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket-name/*",
"Principal": "*"
}
]
}
PS, that bucket setting was generated by AWS using their policy generator, so I suspect it isn't wrong, or else I'm missing a subtlety.
I guess if I think about it, it seems like I've set up all the permissions I might need to get view images myself, but perhaps there are additional settings that need to be configured to allow anyone with the proper S3 URL to view the image?
Thanks in advance for any advice.
Facepalm
Another of my classic should-be-evident-answers that I just noticed after looking at this fresh this morning. A) You do need to do the things I mentioned...CORS settings (if you're using JS to upload directly to S3 vs. using your application to do it), IAM user settings, and bucket permissions all need to be correctly configured. But: B) you gotta build the URL correctly, duh. S3 was returning the bucket and path, but NOT the base URL. So I was going to s3.amazonaws.com/path-to-asset
, but NOT s3.amazonaws.com/bucket-name/path-to-asset
, which is obviously key.
Ya' live and ya' learn.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With