0

In my iOS app I recently changed the AWS iOS Library to 1.7.0 (from 1.6.0) which supports resuming/pausing multipart upload. As a result all file uploads greater than 5MB fails which uses temporary AWS credentials obtained from TVM. (Original credentials work without any problem). The error being HTTP: 403, S3 Error Code: AccessDenied.

The request that fails is this one: GET https://s3.amazonaws.com/<my.bucket.name>/?uploads I am not sure what this request is for or why there is a permission issue because my TVM get_federation_token has GET and PUT access.

{
"Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["s3:PutObject","s3:GetObject"],
      "Resource": ["arn:aws:s3:::my.bucket.name/*"],
      "Effect": "Allow"
    }
  ]
}

The uploads are happening to the location /<my.bucket.name>/. Any idea what is going on?

Thanks

aqs
  • 5,632
  • 3
  • 24
  • 24

1 Answers1

3

UPDATE The initial policy I posted was incorrect, s3:ListBucketMultipartUploads is only effective on the bucket.

The S3TransferManager uses multipart uploads for files over 5MB, so you will need to include operations necessary for multipart uploads in your TVM policy.

{
"Version": "2012-10-17",
  "Statement": [
    {
      "Action":"s3:ListBucketMultipartUploads",
      "Resource":"arn:aws:s3:::my.bucket.name",
      "Effect": "Allow"
    },
    {
      "Action": ["s3:PutObject","s3:GetObject","s3:ListMultipartUploadParts","s3:AbortMultipartUpload"],
      "Resource": ["arn:aws:s3:::my.bucket.name/*"],
      "Effect": "Allow"
    }
  ]
}
Bob Kinney
  • 8,870
  • 1
  • 27
  • 35
  • I tried this but still get the same "AccessDenied" error. What would be a good way to debug this? (thanks for the answer though) – aqs Oct 23 '13 at 18:11
  • Are you sure you flushed the credentials from the device and rebuilt your TVM policy? I've confirmed that this policy works as expected. – Bob Kinney Oct 23 '13 at 18:19
  • I have flushed the credentials from device and restarted my server after changing the policy. Is that what you meant by "rebuilt your TVM pollicy" ? – aqs Oct 23 '13 at 18:21
  • How are you deploying your policy to the TVM? Are you using the supplied TVM? If so you need to rebuild the war after updating the policy. This is what I'm referring to. – Bob Kinney Oct 23 '13 at 18:25
  • You can try expanding your policy to allow all s3 operations to confirm that you are picking up the updated policy and work down from there. – Bob Kinney Oct 23 '13 at 18:25
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/39848/discussion-between-aqs-and-bob-kinney) – aqs Oct 23 '13 at 18:53
  • https://forums.aws.amazon.com/thread.jspa?threadID=138175 Here is the question I posted in AWS developer forum – aqs Oct 24 '13 at 07:38
  • Unfortunately, without the x-amz-id-2, the S3 team won't be able to diagnose. If you turn on verbose logging in the iOS SDK you *should* see both the request id and x-amz-id-2 in the "Response Headers" section. – Bob Kinney Oct 24 '13 at 14:51
  • 1
    Finally got it working Bob. Turns out the problem was the aws id/secret key used for making the `STS` connection had lesser privileges than the root keys. Once it was used everything worked!. Once again thanks a lot! – aqs Oct 25 '13 at 06:53
  • Ah, yes, that can be a problem! Glad you were able to get everything working finally. – Bob Kinney Oct 25 '13 at 16:16
  • Hi, quick question with this... Will someone be able to see all multipart uploads to the bucket with this policy? Or just those that they have initiated? – DogpatchTech Oct 31 '13 at 23:09
  • They will be able to see all multipart uploads in the bucket, but not upload parts or abort them. – Bob Kinney Nov 01 '13 at 21:02