I have tried to make a completely public S3 bucket and access using PHP SDK. This works when I run the access code below from my local machine:
require 'vendor/autoload.php';
use Aws\S3\S3Client;
use Aws\S3\Exception\S3Exception;
$s3 = new S3Client([
'version' => 'latest',
'region' => 'eu-west-2',
'credentials' => [
'key' => "my correct key",
'secret' => "my correct secret"
]
]);
// //publictest2
$bucket = 'mybucketname';
$keyname = 'test_file.txt';
// Upload an object
try {
// Upload data.
$result = $s3->putObject([
'Bucket' => $bucket,
'Key' => $keyname,
'Body' => 'Hello',
'ACL' => 'public-read'
]);
// Print the URL to the object.
echo $result['ObjectURL'] . PHP_EOL;
} catch (S3Exception $e) {
echo $e->getMessage() . PHP_EOL;
}
However, as soon as I run it from the test server (an AWS EC2) I get the below error:
Error executing "PutObject" on "mybucketname"; AWS HTTP error: Client error: `PUT https://mybucketname/test_file.txt` resulted in a `403 Forbidden` response: AccessDeniedAccess DeniedVTJX7V (truncated...) AccessDenied (client): Access Denied - AccessDeniedAccess DeniedVTJX7V4CCKZYG7CRTz dPA7fsZQnFxTERKxxbP IpTtMIIsS1uu23fvTruHH3w8KxwGIduCntRBM5u6tIfHdusbCoPw=
I have already implemented the following to make the bucket public:
- Turned off all block Public Access settings, both at account and bucket level: block public access settings at bucket level
- Edit object ownership: edit object ownership section
- I edited ACL lists as so: acl settings
- I even created a bucket policy that should allow anyone to perform any action on the bucket:
{
"Version": "2012-10-17",
"Id": "S3BukcetPolicyIPAccess",
"Statement": [
{
"Sid": "DenyIfNotFromAllowedVPC",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"mybucketarn",
"mybucketarn/*"
]
}
]
}
Why is this still not working when run from my EC2 server?
CodePudding user response:
This is not to do with the S3 bucket - the hint here is that it works from your local machine, meaning that the S3 bucket isn't to blame but the instance.
It's to do with the role that your EC2 instance is assuming (or not assuming) - create & assign an IAM role that has access to perform PutObject on mybucketname.
One quick way to test this would be to use a role with the AWS-managed policy AmazonS3FullAccess attached which provides full access to all S3 buckets.
Your EC2 instance will then have access to the S3 bucket.
CodePudding user response:
for HTTP 403 Forbidden error debug these below steps.
- Missing permissions to s3:PutObject or s3:PutObjectAcl
- Missing permissions to use an AWS Key Management Service (AWS KMS) key
- Explicit deny statement in the bucket policy
- Bucket access control list (ACL) doesn't allow the AWS account root user to write objects
could you please check this command from your ec2 instance
"aws s3 ls s3://doc-example-bucket/abc/"
If this command is successful, then the credentials or role specified in your application code are causing the "Access Denied" error. Be sure that the instance profile role has the required read and write permissions for the S3 buckets. For example, the S3 actions in the following IAM policy provides the required read and write access to the S3 bucket.