Heroku Amazon s3 images - 403 error sometimes?

Question

I have my server setup at Heroku and i've used Amazon s3 for image-storage (uploaded them with the carrierwave gem), but sometimes i get strange 403 errors:

"Failed to load resource: the server responded with a status of 403 (Forbidden)"

(See image below)

If i reload the page the images are shown again.

I've set up a CORSRule:

 <?xml version="1.0" encoding="UTF-8"?>
    <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <ExposeHeader>ETag</ExposeHeader>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <ExposeHeader>Accept-Ranges</ExposeHeader>
        <ExposeHeader>Content-Range</ExposeHeader>
        <ExposeHeader>Content-Encoding</ExposeHeader>
        <ExposeHeader>Content-Length</ExposeHeader>
        <AllowedHeader>Range</AllowedHeader>
        <AllowedHeader>Authorization</AllowedHeader>
    </CORSRule>
    </CORSConfiguration>

I'm not an expert with CORSRule and i tried a few, but i would be so happy if anyone could point me in the right direction.

--------------- Updated --------------

Here i have my Request General, Response Headers and Request Headers when i'm missing an image.

General

Request URL:https://exnerbilleder.s3.amazonaws.com/nye/uploads/image/image/215/thumb_5.jpg
Request Method:GET
Status Code:403 Forbidden
Remote Address:52.95.150.17:443
Referrer Policy:no-referrer-when-downgrade

Response Headers

Content-Type:application/xml
Date:Tue, 08 Aug 2017 15:49:49 GMT
Server:AmazonS3
Transfer-Encoding:chunked
x-amz-id-2:EG4D5X29x8eAuu+xD9PdG2MsdGYnWHnpkuOc87p1h7nbFgvk57S6Be631UwTdF9tHMauoAjf6j4=
x-amz-request-id:0C43705C41CD57C9

Request Headers

Accept:image/webp,image/apng,image/*,*/*;q=0.8
Accept-Encoding:gzip, deflate, br
Accept-Language:da-DK,da;q=0.8,en-US;q=0.6,en;q=0.4
Connection:keep-alive
Host:exnerbilleder.s3.amazonaws.com
Referer:http://inger-exner.herokuapp.com/works/slotsgarden
User-Agent:Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Mobile Safari/537.36

Visit site

Maybe you will experience the problem if you visit the site

More detail is needed. The request and response headers from the failed requests, in particular. — Michael - sqlbot, Aug 08 '17 at 01:47
Okay. Do you know where i can find them? Is it on the Amazon page? — Peter Højlund Palluth, Aug 08 '17 at 07:09
In the browser's developer tools. https://stackoverflow.com/a/4423097/1695906 — Michael - sqlbot, Aug 08 '17 at 11:32
Look at the response in the browser tools, this gives the error AllAccessDisabledAll access to this object has been disabled - so looks like there is a problem with permissions on the s3 side. — Kenny Grant, Aug 10 '17 at 21:18
I've bought some Amazon support and are know waiting. I will return when i know more. — Peter Højlund Palluth, Aug 11 '17 at 08:57
I wrote the Amazon support and they answered: **The root cause of this issue was an error that caused a small number of the authenticating and authorizing service hosts to miss changes applied to your account.** They pushed the subscription data updates to all the service hosts and that fixed the issue for me. — Peter Højlund Palluth, Aug 11 '17 at 21:23

score 1 · Answer 1 · answered Aug 15 '17 at 05:06

1

Looks like an Amazon issue. A tool such as New Relic or Skylight can help you debug this type of problem where different components lying on different service providers are involved.

answered Aug 15 '17 at 05:06

Stephane Paquet

2,315
27
31

score 1 · Answer 2 · answered Aug 16 '17 at 12:42

Try this:

<CORSConfiguration>
 <CORSRule>
   <AllowedOrigin>http://www.example.com</AllowedOrigin>
   <AllowedMethod>PUT</AllowedMethod>
   <AllowedMethod>POST</AllowedMethod>
   <AllowedMethod>DELETE</AllowedMethod>
   <AllowedHeader>*</AllowedHeader>
  <MaxAgeSeconds>3000</MaxAgeSeconds>
  <ExposeHeader>x-amz-server-side-encryption</ExposeHeader>
  <ExposeHeader>x-amz-request-id</ExposeHeader>
  <ExposeHeader>x-amz-id-2</ExposeHeader>
 </CORSRule>
</CORSConfiguration>

You can refer to the two links below for help :

http://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html#how-do-i-enable-cors

https://devcenter.heroku.com/articles/direct-to-s3-image-uploads-in-rails