21

Amazon provides an example for Granting Permission to an Anonymous User as follows (see Example Cases for Amazon S3 Bucket Policies):

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket/*"
        }
    ]
}

Within my policy I've changed "bucket" in ""arn:aws:s3:::bucket/" to "my-bucket".

However, once I try to access an image within a folder of that bucket, I get the following Access denied error:

This XML file does not appear to have any style information associated with it. The document tree is shown below.

(if I explicitly change the properties of that image to public, then reload its url, the image loads perfectly)

What am I doing wrong?

Update #1: Apparently it has something to do with a third party site that I've given access to. Although it has all of the permissions as the main user (me), and its objects are in the same folder, with the exact same permissions, it still won't let me make them publicly viewable. No idea why.

Update #2: Bucket policies do not apply to objects "owned" by others, even though they are within your bucket, see my answer for details.

Community
  • 1
  • 1
GoodGets
  • 1,829
  • 3
  • 18
  • 21

8 Answers8

21

Update

As per GoodGets' comment, the real issue has been that bucket policies to do not apply to objects "owned" by someone else, even though they are in your bucket, see GoodGets' own answer for details (+1).

Is this a new bucket/object setup or are you trying to add a bucket policy to a pre-existing setup?

In the latter case you might have stumbled over a related pitfall due to the interaction between the meanwhile three different S3 access control mechanisms available, which can be rather confusing indeed. This is addressed e.g. in Using ACLs and Bucket Policies Together:

When you have ACLs and bucket policies assigned to buckets, Amazon S3 evaluates the existing Amazon S3 ACLs as well as the bucket policy when determining an account’s access permissions to an Amazon S3 resource. If an account has access to resources that an ACL or policy specifies, they are able to access the requested resource.

While this sounds easy enough, unintentional interferences may result from the subtle different defaults between ACLs an policies:

With existing Amazon S3 ACLs, a grant always provides access to a bucket or object. When using policies, a deny always overrides a grant. [emphasis mine]

This explains why adding an ACL grant always guarantees access, however, this does not apply to adding a policy grant, because an explicit policy deny provided elsewhere in your setup would still be enforced, as further illustrated in e.g. IAM and Bucket Policies Together and Evaluation Logic.

Consequently I recommend to start with a fresh bucket/object setup to test the desired configuration before applying it to a production scenario (which might still interfere of course, but identifying/debugging the difference will be easier in case).

Good luck!

Community
  • 1
  • 1
Steffen Opel
  • 63,899
  • 11
  • 192
  • 211
  • I upvoted your answer for all of the info, thanks. However, I applied the above bucket policy to a brand new bucket that has only 1 folder in it. No other objects. Then I uploaded an image, went to its url and am still getting Access Denied. – GoodGets Feb 14 '12 at 17:30
  • 3
    Steffen, I accepted your answer because it did help me debug my problem. But the real issue is that bucket policies to do not apply to objects "owned" by someone else, even though they are in your bucket. – GoodGets Feb 14 '12 at 22:20
  • @GoodGets: Thanks for accepting and following up with your solution, I've updated the answer to guide future readers accordingly! – Steffen Opel Feb 14 '12 at 22:58
  • 1
    Thank you for the info, it's extremely helpful in sorting out permissions on S3! – Jason Jul 10 '13 at 02:56
7

Bucket policies do not apply files with other owners. So although I've given write access to a third party, the ownership remains them, and my bucket policy will not apply to those objects.

GoodGets
  • 1,829
  • 3
  • 18
  • 21
3

I wasted hours on this, the root cause was stupid, and the solutions mentioned here didn't help (I tried them all), and the AWS s3 permissions docs didn't emphasize this point.

If you have Requester Pays setting ON, you cannot enable Anonymous access (either by bucket policy or ACL 'Everyone'). You can sure write the policies and ACL and apply them and even use the console to explicitly set a file to public, but a non signed url will still get a 403 access denied 100% of the time on that file, until you uncheck requester pays setting in the console for the entire bucket (properties tab when bucket is selected). Or, I assume, via some API REST call.

Unchecked Requester Pays and now anonymous access is working, with referrer restrictions, ect. In fairness, the AWS console does tell us:

While Requester Pays is enabled, anonymous access to this bucket is disabled.

totymedli
  • 29,531
  • 22
  • 131
  • 165
Jinn
  • 43
  • 5
0

The issue is with your Action it should be in array format

Try this:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

Pass your Bucket name in 'Resource'

Ashish Yadav
  • 3,039
  • 1
  • 16
  • 23
0

If you're having this problem with Zencoder uploads, checkout this page: https://app.zencoder.com/docs/api/encoding/s3-settings/public

Cbas
  • 6,003
  • 11
  • 56
  • 87
0

The following policy will make the entire bucket public :

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

If you want a specific folder under that bucket to be public using Bucket policies , then you have to explicitly make that folder/prefix as public and then apply the bucket policy as follows :

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/images/*"]
    }
  ]
}

The above policy will allow public read to all of the objects under images , but you will not be able to access other objects inside the bucket.

Shivkumar Mallesappa
  • 2,875
  • 7
  • 41
  • 68
0

I know it is an old question but I would like to add information that may still be relevant today.

I believe that this bucket should be a static site. Because of this, you must use a specific URL for your rules to be accepted. To do this, you must add a "website" to your URL. Otherwise, it will treat it just like an object repository.

Example:

With the problem pointed out: https://name-your-bucket.sa-east-1.amazonaws.com/home

Without the problem pointed out: http://name-your-bucket.s3-website-sa-east-1.amazonaws.com/home

Hope this helps :)

Thiago Lúcio
  • 84
  • 4
0

This works.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicRead",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}
David Buck
  • 3,752
  • 35
  • 31
  • 35
Gerald
  • 31
  • 3