AWS S3 browser upload getting Access Denied error

4
votes

I'm trying to upload files to an S3 bucket directly from a browser using POST AWS signature version 4. Initially, I was getting signature validation errors, which I managed to resolve but now I'm getting this error:

<Error>
  <Code>AccessDenied</Code>
  <Message>Access Denied</Message>
  <RequestId>9343E20EAA0FD14E</RequestId
  <HostId>RldZp4h5n6tK8R5WKmWnn0k8PNvJGxb6m...</HostId>
</Error>

I enabled logging in my S3 bucket but they are minimal and don't provide anything additional insight.

I have the following bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::000000000000:user/username"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucketname/*"
        }
    ]
}

When I use API key/secret of my user to upload files from my computer or EC2 instance, it works but using the browser upload with signed policy, gives me the above error.

2
amazon-web-servicesamazon-s3amazon
Possible solution is to add <AllowedOrigin>http://www.example1.com</AllowedOrigin> and <AllowedMethod>POST</AllowedMethod> in CORS additional info docs.aws.amazon.com/AmazonS3/latest/dev/cors.htmlniteshd22
No, this is not a CORS error.Michael - sqlbot

2 Answers

4
votes

I figure it out. I was setting the acl in the request (and inside policy) to public-read, which requires addition permissions in the bucket policy. I added the "s3:PutObjectAcl" to the list of Actions and it worked.

4
votes

For me, I needed to access the IAM console and attach a policy to the user who's access key and secret I was using to sign the policy. The policy I attached was AmazonS3FullAccess.