Excon :: Errors :: Forbidden (Expected (200) <=> Actual (403 Forbidden)

Question

Excon :: Errors :: Forbidden (Expected (200) <=> Actual (403 Forbidden)

When I try to upload an image to the Car object, I am denied access to S3. But the images of sites that are in the asset folder are displayed very well, since I added S3. The specific error I get is this:

 2015-02-17T14:40:48.459629+00:00 app[web.1]: Excon::Errors::Forbidden (Expected(200) <=> Actual(403 Forbidden) 2015-02-17T14:40:48.459630+00:00 app[web.1]: excon.error.response 2015-02-17T14:40:48.459635+00:00 app[web.1]: "Connection" => "close" 2015-02-17T14:40:48.459637+00:00 app[web.1]: "Content-Type" => "application/xml" 2015-02-17T14:40:48.459639+00:00 app[web.1]: "Date" => "Tue, 17 Feb 2015 14:40:48 GMT" 2015-02-17T14:40:48.459640+00:00 app[web.1]: "Server" => "AmazonS3" 2015-02-17T14:40:48.459632+00:00 app[web.1]: :body => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>2CE306ACD51F02A1</RequestId><HostId>tKLXUAKxyDFTMExl7kE+AuVVsEJOFqXh983li6N7R2UlYDXv1Z3GJRvW5zy1XIXVs2zArp310vg=</HostId></Error>" 2015-02-17T14:40:48.459642+00:00 app[web.1]: "x-amz-id-2" => ""part of secret key"=" > <Message> Access Denied </ Message> <RequestId> 2CE306ACD51F02A1 </ RequestId> <hostId> tKLXUAKxyDFTMExl7kE + AuVVsEJOFqXh983li6N7R2UlYDXv1Z3GJRvW5zy1XIXVs2zArp310vg = </ hostId> </ Error> " 2015-02-17T14:40:48.459629+00:00 app[web.1]: Excon::Errors::Forbidden (Expected(200) <=> Actual(403 Forbidden) 2015-02-17T14:40:48.459630+00:00 app[web.1]: excon.error.response 2015-02-17T14:40:48.459635+00:00 app[web.1]: "Connection" => "close" 2015-02-17T14:40:48.459637+00:00 app[web.1]: "Content-Type" => "application/xml" 2015-02-17T14:40:48.459639+00:00 app[web.1]: "Date" => "Tue, 17 Feb 2015 14:40:48 GMT" 2015-02-17T14:40:48.459640+00:00 app[web.1]: "Server" => "AmazonS3" 2015-02-17T14:40:48.459632+00:00 app[web.1]: :body => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>2CE306ACD51F02A1</RequestId><HostId>tKLXUAKxyDFTMExl7kE+AuVVsEJOFqXh983li6N7R2UlYDXv1Z3GJRvW5zy1XIXVs2zArp310vg=</HostId></Error>" 2015-02-17T14:40:48.459642+00:00 app[web.1]: "x-amz-id-2" => ""part of secret key"="

With the "part of the secret key", obviously edited. I tried to create another user and use the new keys, but that didn't work. Not where to go from here.

application / uploading / picture_uploader

 class PictureUploader < CarrierWave::Uploader::Base include CarrierWave::MiniMagick process resize_to_limit: [400, 400] if Rails.env.production? storage :fog else storage :file end # Override the directory where uploaded files will be stored. # This is a sensible default for uploaders that are meant to be mounted: def store_dir "uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}" end # Add a white list of extensions which are allowed to be uploaded. def extension_white_list %w(jpg jpeg gif png) end end

carrier_wave.rb

 if Rails.env.production? CarrierWave.configure do |config| config.fog_credentials = { # Configuration for Amazon S3 :provider => 'AWS', :aws_access_key_id => ENV['S3_ACCESS_KEY'], :aws_secret_access_key => ENV['S3_SECRET_KEY'] } config.fog_directory = ENV['S3_BUCKET'] end end

I believe that all relevant files let me know if you see them even more. Not sure if specifying a region or a powerful user is not like that.

+7

ruby-on-rails amazon-s3 carrierwave railstutorial.org

Virge assault Feb 17 '15 at 15:13

source share

4 answers

Another answer telling you to provide AdministratorAccess for an IAM user is a bad idea from a security point of view - it will allow anyone who has access to these keys to perform any actions on your account, including deleting the entire infrastructure.

I have not determined the exact minimum permission set that Carrierwave / Fog needs, but the smaller set that I received looks like this:

Create an AWS IAM policy using a policy document, for example:

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::BUCKETNAME/*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::BUCKETNAME" }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": [ "*" ] } ] }

Please note that specifying S3 actions for both BUCKETNAME and BUCKETNAME/* not an error - the first refers to the API actions that are executed in the segment, and the second refers to the stored objects in the segment.

+3

Jeremy Oct 18 '17 at 0:45

source share

I used this guide: https://medium.com/@mohit_22386/ruby-on-rails-aws-how-to-put-assets-on-aws-s3-and-fetch-using-cloudfront-84de9800ce3d

After installation, I could add or remove files from the recycle bin through software (DragonDisk). But I got the same error on resources: precompilation. I just deleted the ckeckboxes ACL in the Permissions> Public access settings page in the trash settings:

In addition, I used my main account, without IAM, so Rob Mulholand aswer was not relevant for me.

+1

Andrey Artemyev Feb 22 '19 at 16:50

source share

A more minimal resolution approach would be:

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<IAM user with programatic access>" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::BUCKETNAME" }, { "Effect": "Allow", "Principal": { "AWS": "<IAM user with programatic access>" }, "Action": [ "s3:PutObjectAcl", "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::BUCKETNAME/*" } ] }

tl; dr: You also need s3: PutObjectAcl permission.

(I did not check whether it will work even without the permission of GetObject, DeleteObject, because in my case I still wanted to provide them.)

+1

Yo ludke Aug 27 '19 at 14:53

source share

Rob mulholand · Accepted Answer · 2015-03-26T22:24:30+0000

[EDIT: I would leave the answer to this question by default, especially if you are in a prod environment. This was a workaround that worked for me when you made a forked toy a few years ago, but I agree to provide minimal permissions when security is a concern.]

I encountered the same error and the solution was to attach administrative access policies from the AWS Management Console:

1) Log in to the AWS Management Console at http://aws.amazon.com/iam/

2) Click on "Policies" in the left navigation bar.

3) Select the "AdministratorAccess" policy

4) Click "Actions with policy"> "Attach" at the top of the page

5) Select the user associated with my S3_ACCESS_KEY, S3_SECRET_KEY and S3_BUCKET

6) Click "Attach Policy"

Simply providing all permissions from my bucket to https://console.aws.amazon.com/s3/home was not enough.

Excon :: Errors :: Forbidden (Expected (200) <=> Actual (403 Forbidden)

More articles: