7

I'm getting some odd 403 errors from amazon when requesting objects from an S3 bucket. It seems be intermittent and it only happens in rapid succession.

If I try to access the same objects at a later time, I can usually retrieve them without issue.

My gut feeling is that these errors are occurring because of some sort of rate-limiting constraint but I can't find anything in the docs. Is rate limiting a possible cause for a 403 error?

BenMorel
  • 34,448
  • 50
  • 182
  • 322
Jordan
  • 1,599
  • 4
  • 26
  • 42
  • 1
    http://aws.amazon.com/articles/1109#04 suggests that you can get this error if the requesting machine does not have its time set to within 15 minutes of the S3 webserver, so you could check that. As the link shows, you will get Error Code: RequestTimeToo-Skewed if that is the problem – mc110 Jun 26 '14 at 14:39
  • I see the same intermittent issues. Sometimes after days of successful 200's, I'll start getting 403's from one device while continuing to get 200's from another. The object wasn't recently updated. The device clock time is correct. Any ideas? – Isaac Betesh Nov 06 '14 at 18:44
  • @Jordan did you ever figure out a solution or cause for this? – Joe Jan 22 '15 at 18:58
  • 403 does not indicate rate limiting. That would be 503. In general, 4xx is a client error of some sort, and 5xx is a server error of some sort. http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html – perpetual_check Mar 13 '15 at 03:30
  • Did you get an error code back? Can you include relevant pieces of the response? – perpetual_check Mar 13 '15 at 03:32
  • @mc110 If I was the OP, I would accept your answer! One of my servers in the pool had drifted by more than 15 minutes, so depending on the server my load balancer was hitting, I was getting either a `200` or a `403` from S3. I've now enabled the `ntpd` service on all servers, and everything works fine. Thanks a lot! – BenMorel Oct 13 '16 at 07:16
  • @Benjamin - glad that helped. I wonder if Jordan ever did solve the problem: it would be great if he could post an update – mc110 Oct 14 '16 at 11:03
  • @mc110 My issue was actually that the objects I was requesting didn't exist (they were deleted). – Jordan Oct 14 '16 at 17:01
  • This should have triggered a 404 if they didn't exist? Anyway, you should post an answer to your own question and accept it. It may help others! – BenMorel Oct 14 '16 at 17:03

2 Answers2

0

My issue was that the objects I was requesting didn't exist. I'm not sure if there's any special configuration we've done to make it a 403 rather than a 404, but to this day if I attempt to request an object from our bucket that I'm sure doesn't exist I get a 403.

The reason for a 403 is probably one of security; if someone is fishing for objects and sometimes they get a 403 because they don't have access to an object that exists and sometimes they get a 404 because the object legitimately isn't there, they can potentially obtain some sensitive information.

Jordan
  • 1,599
  • 4
  • 26
  • 42
  • If the same user that is doing the requesting has the 'List' permissions, they'll get a 404 instead. – Aeolun Mar 26 '19 at 02:03
0

If you're using an S3 bucket as static content website, you have to attach a policy with the action s3:GetObject to arn:aws:s3:::your-bucket/*. Here is an example using a Cloudformation template:

StaticWebsite:
  Type: AWS::S3::Bucket
  Properties:
    AccessControl: PublicRead
    BucketName: your-bucket
    WebsiteConfiguration:
      IndexDocument: index.html
StaticWebsitetPolicy:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket: !Ref StaticWebsite
    PolicyDocument:
      Statement:
        - Effect: Allow
          Action:
            - s3:GetObject
          Resource:
            - arn:aws:s3:::your-bucket/*
          Principal: "*"
Leopoldo Varela
  • 257
  • 3
  • 9