0

I am fairly new to Amazon AWS platform.

My implementation scenario is like this, I need an S3 bucket with public read access to store profile pictures of users and other static images for website like logo and backgrounds. Users of the application has the facility to upload the profile pictures.

When i try to access this S3 bucket i am getting 403 forbidden error.

I have done the following by reading some blogs, not sure exactly where I am going wrong.

Step 1: Created an S3 bucked named "test.domain.com" for the region US-EAST-2 (same region as EC2 instance) with public read access.

Step 2: Created a policy with following configuration

    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": [
            "arn:aws:s3:::*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject",
            "s3:ListObject"
        ],
        "Resource": [
            "arn:aws:s3:::test.domain.com/*"
        ]
    }

Step 3: Create a new role for Amazon EC2 and attached the above created policy.

Step 4: Attached the newly created role to EC2 instance

Step 5 : Created an MVC application using the pre-defined templates that comes with VS2015, installed Amazon AWSSDK via nuget package manager and wrote following code to see if everything works.

   //getting instanceprofilecredentials
   var profile = new InstanceProfileAWSCredentials();

   //creating s3 client with credentials and region
   var s3= new AmazonS3Client(profile, Amazon.RegionEndpoint.USEast2);

   //creating a new request and assigning bucket name
   var request = new ListObjectsRequest();
   request.BucketName = "test.domain.com";

   //sending the request
   var response = s3.ListObjects(request);

   //counting no of existing objects
   int totalObjects=response.S3Objects.Count;

   //display as controllers action result
   return Content(totalObjects)

Step 6: Deployed the application using VS2015's web deploy.

Any help with be appreciated. Thank you.

Khaleelullah
  • 23
  • 3
  • I believe this is a duplicate of https://stackoverflow.com/questions/38774798/accessdenied-for-listobjects-for-s3-bucket-when-permissions-are-s3/38775442#38775442 – Mark B Aug 27 '17 at 18:42

2 Answers2

0

I think you need to add the Principal element to your bucket policy. The line I added to your code below will allow access for everyone.

 {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": [
            "arn:aws:s3:::*"
        ]
    },
    {
        "Effect": "Allow",
        "Principal": "*",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject",
            "s3:ListObject"
        ],
        "Resource": [
            "arn:aws:s3:::test.domain.com/*"
        ]
    }
J. Garth
  • 783
  • 6
  • 10
  • When adding a principal, policy validation is throw error as "Invalid principal". If i test the policy without the principle using the aws policy sim, it works perfectly fine. But same policy if i run from my .net code, it throw an error. – Khaleelullah Aug 29 '17 at 20:16
0

Adding the following policy rules to allow role based access has resolved this issue

     {
        "Sid": "AllowPassRole",
        "Effect": "Allow",
        "Action": [
            "iam:PassRole",
            "iam:ListInstanceProfiles"
        ],
        "Resource": "*"
    }
Khaleelullah
  • 23
  • 3