4

Hey I using this for setting up direct upload using presigned url to S3. https://devcenter.heroku.com/articles/s3-upload-python In Cors policy i have kept: allowed origin * rest everything is same.

After I get a presigned response,I use postman to try to upload a image file to s3. But a error seems to appear:

"Invalid according to Policy: Policy Condition failed:"eq", "$acl", "public-read""

I think I m screwing up with cors policy or something.

PS: The public access to S3 bucket is all blocked...Do i need to disable it for this to work?

The bucket policy is also blank..Do I need to add something there. (Sorry for noob stuff).

Thanks in advance.

franklinsijo
  • 17,784
  • 4
  • 45
  • 63
Aldrin Machado
  • 97
  • 1
  • 10

1 Answers1

3

From the link you have referenced, the pre-signed URL you are generating allows the uploaded object to be publicly readable whereas the bucket blocks Public access to the bucket and its objects.

You can either disable the settings for blocking public access if the objects in the bucket can be publicly exposed. Refer the documentation here.

Or, you can update the generate_presigned_post method to set the ACL to be private 

 presigned_post = s3.generate_presigned_post(
    Bucket = S3_BUCKET,
    Key = file_name,
    Fields = {"acl": "private", "Content-Type": file_type},
    Conditions = [
      {"acl": "private"},
      {"Content-Type": file_type}
    ],
    ExpiresIn = 3600
  )
franklinsijo
  • 17,784
  • 4
  • 45
  • 63
  • Hey Franks, Thanks for help...So as per ur suggestion i unchecked all block public access and added a policy for public get object...Now then thing is I am getting access denied error(403) when I try to upload a file using presigned url...Mind that the user which I use to generate url has full s3 access. – Aldrin Machado Mar 23 '20 at 12:03
  • The bucket policy is as follows,{ "Version": "2012-10-17", "Statement": [ { "Sid": "PublicReadForGetBucketObjects", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::img-bucket/*" } ] } – Aldrin Machado Mar 23 '20 at 12:03
  • You are trying to upload an object via presigned URL. Add `PutObject` permission in your policy. – franklinsijo Mar 23 '20 at 12:08
  • why??The user I use to create the presigned URL has fullAccessToS3 policy attached to it. – Aldrin Machado Mar 23 '20 at 13:42
  • The Bucket policy you have posted in the comment is different! – franklinsijo Mar 23 '20 at 13:43
  • So this bucket policy gives get object priviledges to any user...But my user also has S3fullAccess policy attached to it. – Aldrin Machado Mar 23 '20 at 15:27
  • Can you explain on how you are making the POST request with the signed URL? – franklinsijo Mar 23 '20 at 18:51
  • By using python requests library......http_response = requests.post(response['data']['url'], data=response['data']['fields'], files=files)....Getting 403 – Aldrin Machado Mar 23 '20 at 19:05
  • Interesting thing is when I make my bucket public...the code works fine with 204...but now in bucket policy i have given my user role access to s3:*,in addition to it also has s3fullAccess policy....Still it is giving me 403 error...I am using pycharm as IDE...I wonder if it is screwing up things...Thanks in advance Frank – Aldrin Machado Mar 23 '20 at 19:08
  • 1
    hey Franks...Was able to solve this...I was confused in mess of many roles and gave permission to incorrect role,which was causing the issue...Many thanks...Now i can sleep.. – Aldrin Machado Mar 23 '20 at 19:22
  • Is this answer right? Isn't the point of a pre-signed URL to selectively allow access to a private bucket? – iman453 Aug 09 '22 at 00:18
  • Yes. On creating the pre-signed url, if the conditions provided contains a Public-read ACL, then that will be blocked by the Public Block Policy enabled at the bucket. The OP can either remove the Public block setting and set the ACL for the presigned url to Private. – franklinsijo Aug 09 '22 at 09:40