0

I have an application that uploads videos to an S3 bucket, and then creates a custom policy to allow another user (for the Zencoder service) to grab the files, and upload the transcoded files back into the bucket.

Below is the current custom policy I give to the user during transcoding. Basically I give full read permission to the entire bucket, but I only allow the user to PUT files into a specific nested folder.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUserToListContentsOfBucket",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::MY-BUCKET"
      ]
    },
    {
      "Sid": "AllowUserToListContentsOfBucketFolders",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucketMultipartUploads",
        "s3:GetObjectAcl",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::MY-BUCKET/*"
      ]
    },
    {
      "Sid": "AllowUserS3ActionsOfSpecificFolder",
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectAcl",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::MY-BUCKET/some/nested/folder/*"
      ]
    }
  ]
}

This works for the most part, but in the ~1,000 files transferred over by Zencoder, there's usually one or two that fail with a 403 Forbidden error. I'm not sure why, since files were correctly transferred both before and after the error.

Is there any reason Amazon AWS S3 / IAM would send a 403 Access Denied when such a permission is provided?

mnd
  • 2,709
  • 3
  • 27
  • 48
  • By fails means they fail to load or you get that error message while uploading the files? – Piyush Patil Jul 20 '16 at 22:17
  • So the order is: (1) I upload the video file to S3, (2) I tell Zencoder to transcode the video file, (3) Zencoder grabs the original video file, (4) Zencoder uploads some files to S3, (5) Zencoder fails to upload a file with the `403 Access Denied` message, (6) Zencoder is successful at uploading other files after the failure in #5. – mnd Jul 21 '16 at 02:07
  • What is the format of the video file that fails? is it same format or random format that fails. – Piyush Patil Jul 21 '16 at 02:08
  • I'm always using the same format, `mp4`. Sometimes it fails, sometimes it succeeds. I'm transcoding videos into "mp4", "hls", and "dash". It typically seems to be "hls" or "dash" files that fail to be transferred to S3. – mnd Jul 21 '16 at 02:20
  • Can the failed file be subsequently uploaded? – Michael - sqlbot Jul 21 '16 at 04:06
  • I believe so. If I run through the same process again with the same video, it will sometimes succeed, and sometimes fail - so I don't believe it is specific to the file that is trying to be uploaded. – mnd Jul 21 '16 at 13:28
  • Is "careem" a user on your database? – Piyush Patil Jul 21 '16 at 14:01
  • I don't know if I understand. Are you talking an IAM user? If so, no, "careem" is not a user. Is that a typical user to have? – mnd Jul 21 '16 at 14:37

0 Answers0