AWS: Can't upload a file to private S3 through SDK

0
votes

So I have a private s3 bucket and want to be able to upload a file to it. My user has a AmazonS3FullAccess and turns out it's not enough.

The error is

Error executing "PutObject" on "https://my-existing-bucket-name.s3.amazonaws.com/5037f466f9018271b16b1e77d3d7f386.pdf"; AWS HTTP error: Client error: `PUT https://my-existing-bucket-name.s3.amazonaws.com/5037f466f9018271b16b1e77d3d7f386.pdf` resulted in a `403 Forbidden`

I also tried to add a custom policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::my-existing-bucket-name/*"
        }
    ]
}

but still it doesn't work, while it is possible to delete or retrieve a file using same credentials.

Here is how I'm uploading files to AWS (it works fine if to switch bucket access from private to public)

    $this->s3Client->putObject([
        'Bucket' => $this->bucket,
        'Key' => $keyName,
        'ContentType' => $contentType,
        'CacheControl' => 'max-age=86400',
        'Body' => fopen($file, 'rb'),
        'ACL' => 'authenticated-read',
    ]);
1
amazon-web-servicesamazon-s3
Does $this->s3Client->putObject execute under your IAM user, or some IAM role? - Marcin
@Marcin there is a special IAM user with the specified policies, I've added his access key to my SDK - Lunin Roman
Are there any bucket policies? - Marcin
None, I've just switched Block all public access and all the checkboxes below to On - Lunin Roman

1 Answers

0
votes

Turns out the problem was in the following option

'ACL' => 'authenticated-read'

the description to the authenticated-read says Owner gets FULL_CONTROL. The AuthenticatedUsers group gets READ access.

Apparently, it conflicts with private bucket settings and that's why it produces the error. But error code 403 is confusing, I think response code 409 makes much more sense here. Anyways, it worked when I switched to private, which is a default ACL.