2. Algorithm
  3. amazon web services - AWS S3 Bucket Policy and CORS Configured, Yet Getting Access Denied on URL - Stack Overflow

amazon web services - AWS S3 Bucket Policy and CORS Configured, Yet Getting Access Denied on URL - Stack Overflow

admin2025-03-19  1

I am trying to make objects in my S3 bucket accessible via URL, but when I hit the object URL in the browser, I receive the following error:

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>0491CC51TEK93R1P</RequestId>
<HostId>aQ9zYuEQ/a5DkwjgbPSkKzfalVuxyYcne8DDIwzSWKo6zhqAovy5U8+PAon5A7OdKfh0KVB/04g=</HostId>
</Error>

Here are my current configurations:

Bucket Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::*****:role/xyz"
            },
            "Action": "S3:*",
            "Resource": "arn:aws:s3:::test/*"
        }
    ]
}

CORS Configuration:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [
            "ETag"
        ],
        "MaxAgeSeconds": 3000
    }
]

I have turned off the Block all public access settings in my bucket.

What could be the reason behind this AccessDenied error when hitting the object URL directly in the browser? Is there something wrong with my bucket policy, CORS configuration, or the settings?

Any insights or suggestions would be greatly appreciated.

I am trying to make objects in my S3 bucket accessible via URL, but when I hit the object URL in the browser, I receive the following error:

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>0491CC51TEK93R1P</RequestId>
<HostId>aQ9zYuEQ/a5DkwjgbPSkKzfalVuxyYcne8DDIwzSWKo6zhqAovy5U8+PAon5A7OdKfh0KVB/04g=</HostId>
</Error>

Here are my current configurations:

Bucket Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::*****:role/xyz"
            },
            "Action": "S3:*",
            "Resource": "arn:aws:s3:::test/*"
        }
    ]
}

CORS Configuration:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [
            "ETag"
        ],
        "MaxAgeSeconds": 3000
    }
]

I have turned off the Block all public access settings in my bucket.

What could be the reason behind this AccessDenied error when hitting the object URL directly in the browser? Is there something wrong with my bucket policy, CORS configuration, or the settings?

Any insights or suggestions would be greatly appreciated.

  • amazon-web-services
  • amazon-s3
Share Improve this question asked Nov 20, 2024 at 6:58 AncientProAncientPro 1061 silver badge13 bronze badges 12
  • 1 Either you should create a pre-signed URL or make the objects public to make them accessible via URL to anyone if I got you. If you want it for specific roles then the same policy should work for xyz role after signing in to AWS account. No need for cros in this case – Asfar Irshad Commented Nov 20, 2024 at 7:05
  • 1 You need another predigend url to view / get the object or change the policy to actually allow public access. – luk2302 Commented Nov 20, 2024 at 7:08
  • 1 Pre-Signed URL for upload and download/view are different, you can't use the same one. Need to generate a new one. If you are unable to upload using console and this policy is a match with your role, it means there is some other policy or SCP which is denying your access – Asfar Irshad Commented Nov 20, 2024 at 7:11
  • 1 It depends on the expiry, you can specify how long you want it to be valid during generation, and can be used unlimited times during that time period – Asfar Irshad Commented Nov 20, 2024 at 7:21
  • 1 You generally need a new one every time since it is blind to the expiry of the credentials creating the url which generally have a max expiration of 12 hours. Alternative: put a CloudFront in front of the bucket. – luk2302 Commented Nov 20, 2024 at 7:23
 |  Show 7 more comments

1 Answer 1

Reset to default 1

The issue is that the browser has no AWS IAM credentials, this issue does not have anything to do with CORS, you would receive an error from the browser, not from s3. If you want to make requests from the browser you will either have to create an s3 presigned url as Asfar Irshad and Luk2302 suggested:

https://docs.aws.amazon/AmazonS3/latest/userguide/using-presigned-url.html

Or you will have to add the authentication signature to the request headers yourself: https://docs.aws.amazon/AmazonS3/latest/API/sig-v4-authenticating-requests.html

You can also make the objects publicly accessible or go through a cloudfront distribution. In general it's not great to always go through s3, with cloudfront you get caching at the edge and it is cheaper than going through s3 every time.

https://aws.amazon/blogs/networking-and-content-delivery/amazon-s3-amazon-cloudfront-a-match-made-in-the-cloud/

转载请注明原文地址:http://conceptsofalgorithm.com/Algorithm/1742375707a210430.html
最新回复(0)