科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>amazon web services - AWS S3 Bucket Policy and CORS Configured, Yet Getting Access Denied on URL - Stack Overflow

    amazon web services - AWS S3 Bucket Policy and CORS Configured, Yet Getting Access Denied on URL - Stack Overflow

    programmeradmin0浏览0评论

    I am trying to make objects in my S3 bucket accessible via URL, but when I hit the object URL in the browser, I receive the following error:

    <Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>0491CC51TEK93R1P</RequestId>
<HostId>aQ9zYuEQ/a5DkwjgbPSkKzfalVuxyYcne8DDIwzSWKo6zhqAovy5U8+PAon5A7OdKfh0KVB/04g=</HostId>
</Error>

    Here are my current configurations:

    Bucket Policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::*****:role/xyz"
            },
            "Action": "S3:*",
            "Resource": "arn:aws:s3:::test/*"
        }
    ]
}

    CORS Configuration:

    [
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [
            "ETag"
        ],
        "MaxAgeSeconds": 3000
    }
]

    I have turned off the Block all public access settings in my bucket.

    What could be the reason behind this AccessDenied error when hitting the object URL directly in the browser? Is there something wrong with my bucket policy, CORS configuration, or the settings?

    Any insights or suggestions would be greatly appreciated.

    I am trying to make objects in my S3 bucket accessible via URL, but when I hit the object URL in the browser, I receive the following error:

    <Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>0491CC51TEK93R1P</RequestId>
<HostId>aQ9zYuEQ/a5DkwjgbPSkKzfalVuxyYcne8DDIwzSWKo6zhqAovy5U8+PAon5A7OdKfh0KVB/04g=</HostId>
</Error>

    Here are my current configurations:

    Bucket Policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::*****:role/xyz"
            },
            "Action": "S3:*",
            "Resource": "arn:aws:s3:::test/*"
        }
    ]
}

    CORS Configuration:

    [
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [
            "ETag"
        ],
        "MaxAgeSeconds": 3000
    }
]

    I have turned off the Block all public access settings in my bucket.

    What could be the reason behind this AccessDenied error when hitting the object URL directly in the browser? Is there something wrong with my bucket policy, CORS configuration, or the settings?

    Any insights or suggestions would be greatly appreciated.

    • amazon-web-services
    • amazon-s3
    Share Improve this question asked Nov 20, 2024 at 6:58 AncientProAncientPro 1061 silver badge13 bronze badges 12
    • 1 Either you should create a pre-signed URL or make the objects public to make them accessible via URL to anyone if I got you. If you want it for specific roles then the same policy should work for xyz role after signing in to AWS account. No need for cros in this case – Asfar Irshad Commented Nov 20, 2024 at 7:05
    • 1 You need another predigend url to view / get the object or change the policy to actually allow public access. – luk2302 Commented Nov 20, 2024 at 7:08
    • 1 Pre-Signed URL for upload and download/view are different, you can't use the same one. Need to generate a new one. If you are unable to upload using console and this policy is a match with your role, it means there is some other policy or SCP which is denying your access – Asfar Irshad Commented Nov 20, 2024 at 7:11
    • 1 It depends on the expiry, you can specify how long you want it to be valid during generation, and can be used unlimited times during that time period – Asfar Irshad Commented Nov 20, 2024 at 7:21
    • 1 You generally need a new one every time since it is blind to the expiry of the credentials creating the url which generally have a max expiration of 12 hours. Alternative: put a CloudFront in front of the bucket. – luk2302 Commented Nov 20, 2024 at 7:23
     |  Show 7 more comments

    1 Answer 1

    Reset to default 1

    The issue is that the browser has no AWS IAM credentials, this issue does not have anything to do with CORS, you would receive an error from the browser, not from s3. If you want to make requests from the browser you will either have to create an s3 presigned url as Asfar Irshad and Luk2302 suggested:

    https://docs.aws.amazon/AmazonS3/latest/userguide/using-presigned-url.html

    Or you will have to add the authentication signature to the request headers yourself: https://docs.aws.amazon/AmazonS3/latest/API/sig-v4-authenticating-requests.html

    You can also make the objects publicly accessible or go through a cloudfront distribution. In general it's not great to always go through s3, with cloudfront you get caching at the edge and it is cheaper than going through s3 every time.

    https://aws.amazon/blogs/networking-and-content-delivery/amazon-s3-amazon-cloudfront-a-match-made-in-the-cloud/

    继续浏览有关 的文章

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论