I have uploaded the object and marked it as public under my bucket. When I click on the Object URL
I can see it on the browser(Publically accessible).
Then I have enabled versioning at the s3 bucket level, then I have changed the content in the object and uploaded it again to the same bucket. Versioning works well, I can see two different versions for the same object. However, Public access doesn't. When I clicked on the new Object's URL
, it says access denied.
Any specific reason behind this behavior or this is the known issue from S3 or I am doing something which is not as per standard practice?
CodePudding user response:
Each object version has its own permissions. So, the first version can be publicly accessible and you can get it from the brower. But for a newer object version if it is not configurated to be public then public access will not work.
From docs:
Permissions for objects in Amazon S3 are set at the version level. Each version has its own object owner. The AWS account that creates the object version is the owner. So, you can set different permissions for different versions of the same object. To do so, you must specify the version ID of the object whose permissions you want to set in a PUT Object versionId acl request.
CodePudding user response:
If you have versioning enabled and you want to see a specific version of a file from a bucket, you have to add permission for GetObjectVersion
in the bucket policy. The bucket policy should look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
This policy will allow to open files from your bucket, if the public URL contains the versionId
query param:
https://my-bucket-123456789.s3.amazonaws.com/file3.json?versionId=RXbjBh8SzW9RpEsxX.xzkYb1RTK4pjwF
If you don't have versionId
in your public URL, it should work, even if you do not add GetObjectVersion
permission to the policy. In this case it will open the latest version.
Please note, this answer assumes that the bucket does not have access control list (ACL) enabled and expects that the ownership of each object is set to Bucket owner enforced
.