FineUploader: S3 Access Denied Response when Canned ACL value is changed

Question

I have an S3 Fine Uploader implementation working great. By default, it uploads files fine but they are private. Based on FineUploader's documentation I added the objectProperties option as follows to my client-side js config for FineUploader to make the files public:

    objectProperties: {
        acl: "public-read"
    },

However I now get an access denied response from s3 during upload:

<Error><Code>AccessDenied</Code><Message>Access Denied</Message>
<RequestId>(removed)</RequestId>
<HostId>(removed)</HostId>
</Error>

If it helps, this is my CORS Bucket Policy:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>DELETE</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <ExposeHeader>ETag</ExposeHeader>
        <AllowedHeader>content-type</AllowedHeader>
        <AllowedHeader>origin</AllowedHeader>
        <AllowedHeader>x-amz-acl</AllowedHeader>
        <AllowedHeader>x-amz-meta-qqfilename</AllowedHeader>
        <AllowedHeader>x-amz-date</AllowedHeader>
        <AllowedHeader>authorization</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

This is the raw HTTP dump of the request:

Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-GB,en-US;q=0.8,en;q=0.6
Connection:keep-alive
Content-Length:39643
Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryR70e49pqaNEGSsT1
Host:quickfunnel.s3.amazonaws.com
Origin:http://mysite.local
Referer:http://mysite.local/dashboard/
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Request Payload
------WebKitFormBoundaryR70e49pqaNEGSsT1
Content-Disposition: form-data; name="key"

d50e0c4f-1886-48bb-b077-075fca79b6dc.JPG
------WebKitFormBoundaryR70e49pqaNEGSsT1
Content-Disposition: form-data; name="AWSAccessKeyId"

ACCESS-KEY-REMOVED
------WebKitFormBoundaryR70e49pqaNEGSsT1
Content-Disposition: form-data; name="Content-Type"

image/jpeg
------WebKitFormBoundaryR70e49pqaNEGSsT1
Content-Disposition: form-data; name="success_action_status"

200
------WebKitFormBoundaryR70e49pqaNEGSsT1
Content-Disposition: form-data; name="acl"

public-read
------WebKitFormBoundaryR70e49pqaNEGSsT1
Content-Disposition: form-data; name="x-amz-meta-qfclientid"

1
------WebKitFormBoundaryR70e49pqaNEGSsT1
Content-Disposition: form-data; name="x-amz-meta-qqfilename"

Capture.JPG
------WebKitFormBoundaryR70e49pqaNEGSsT1
Content-Disposition: form-data; name="policy"

eyJleHBpcmF0aW9uIjoiMjAxNC0wMS0wMlQyMzo0MzoxMC4wNDVaIiwiY29uZGl0aW9ucyI6W3siYWNsIjoicHVibGljLXJlYWQifSx7ImJ1Y2tldCI6InF1aWNrZnVubmVsIn0seyJDb250ZW50LVR5cGUiOiJpbWFnZS9qcGVnIn0seyJzdWNjZXNzX2FjdGlvbl9zdGF0dXMiOiIyMDAifSx7ImtleSI6ImQ1MGUwYzRmLTE4ODYtNDhiYi1iMDc3LTA3NWZjYTc5YjZkYy5KUEcifSx7IngtYW16LW1ldGEtcWZjbGllbnRpZCI6IjEifSx7IngtYW16LW1ldGEtcXFmaWxlbmFtZSI6IkNhcHR1cmUuSlBHIn0sWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsIjAiLCIxNTAwMDAwMCJdXX0=
------WebKitFormBoundaryR70e49pqaNEGSsT1
Content-Disposition: form-data; name="signature"

K7FC4Toe/xmr0SKGOTy6NG+morw=
------WebKitFormBoundaryR70e49pqaNEGSsT1
Content-Disposition: form-data; name="file"; filename="Capture.JPG"
Content-Type: image/jpeg


------WebKitFormBoundaryR70e49pqaNEGSsT1--

Answer 1

Most likely, you have not properly configured your client-side IAM group. In order to deviate from the default ACL of "private", the IAM group associated with the request must be able to perform that "s3:PutObjectAcl" action. You'll need to ensure the IAM group associated with your client-side keys has this permission.