Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I configure CORS in Amazon S3 and confirm the CORS rules with cURL?

6 minute read
1

I want to allow cross-origin resource sharing (CORS) in my Amazon Simple Storage Service (Amazon S3) bucket, but I get an error.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

You can apply Cross-Origin Resource Sharing (CORS) rules to your bucket using either the Amazon S3 console or AWS Command Line Interface (AWS CLI). CORS is a feature of HTTP that uses headers to allow browsers to display content that a web server requests from a different origin. If you make a cross-origin request to an Amazon S3 bucket that you haven't configured with a CORS rule, then the web server doesn't return the CORS header. To test the CORS rules on your Amazon S3 bucket, use the following cURL command:

curl -i http://mycorsbucket.s3.amazonaws.com/cors-test.html -H "Origin: http://www.example.com"

HTTP/1.1 200 OK
x-amz-id-2: Va106gWx1uUDGbouopXfpjvjHW0VXydI8/VGlraf/62f2vvxtI+iAnmu7lF4MK2B6CxuzReyfRI=
x-amz-request-id: QWNNX1Y0MWFM152H
Date: Thu, 04 Nov 2021 18:52:55 GMT
Last-Modified: Thu, 04 Nov 2021 16:03:50 GMT
ETag: "cd4276d2cd5a2dc8ebcc1e04746680f6"
Accept-Ranges: bytes
Content-Type: text/html
Server: AmazonS3
Content-Length: 55

Note: Replace mycorsbucket with the name of your bucket and replace www.example.com with the URL of the web server from which you're requesting content.

If a web server makes a similar request to the origin website, the content retrieved from your bucket won't appear in the browser. To allow your content to appear, configure a CORS policy on your Amazon S3 bucket. Configure your CORS policy so that the appropriate headers are returned. You can configure a CORS rule on your bucket with the Amazon S3 console or AWS CLI.

Configure a CORS rule with the Amazon S3 console

To configure a CORS rule on your bucket with the Amazon S3 console, perform the following steps:

  1. Open the Amazon S3 console.

  2. Select your bucket.

  3. Choose the Permissions tab.

  4. In the Cross-origin resource sharing pane, choose Edit.

  5. In the text box, enter the JSON CORS rule that you want to activate, as in the following example:

    [
  {
    "AllowedHeaders": [
      "Authorization"
    ],
    "AllowedMethods": [
      "GET",
      "HEAD"
    ],
    "AllowedOrigins": [
      "http://www.example.com"
    ],
    "ExposeHeaders": [
      "Access-Control-Allow-Origin"
    ]
  }
]

    For more information about each of the CORS rule elements or example rules, see Elements of a CORS configuration.

    Note: Replace www.example.com with the URL of the web server from which you're requesting content.

  6. Choose Save.

Configure a CORS rule with the AWS CLI

To configure a CORS rule on your bucket with the AWS CLI, run the following command:

aws s3api put-bucket-cors --bucket mycorsbucket --cors-configuration '{"CORSRules" : [{"AllowedHeaders":["Authorization"],"AllowedMethods":["GET","HEAD"],"AllowedOrigins":["http://www.example.com"],"ExposeHeaders":["Access-Control-Allow-Origin"]}]}'

Note: Replace mycorsbucket with the name of your bucket and replace www.example.com with the URL of the web server from which you're requesting content.

Test the CORS rule

To test the CORS rule, use the cURL command, like this:

curl -i http://mycorsbucket.s3.amazonaws.com/index.html -H "Origin: http://www.example.com"

HTTP/1.1 200 OK
x-amz-id-2: d5Jsw1vCf8tR3cMdXrtcTKYgczU/1pjxahnrw7C6jU1fLo8py2Nv2kpeFs8pYPruVZg6Y3JuRUA=
x-amz-request-id: BMCCY18E58B3GBWV
Date: Thu, 04 Nov 2021 19:12:26 GMT
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Methods: GET, HEAD
Access-Control-Expose-Headers: Access-Control-Allow-Origin
Access-Control-Allow-Credentials: true
Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
Last-Modified: Thu, 04 Nov 2021 16:03:50 GMT
ETag: "cd4276d2cd5a2dc8ebcc1e04746680f6"
Accept-Ranges: bytes
Content-Type: text/html
Server: AmazonS3
Content-Length: 55

Note: Replace mycorsbucket with the name of your bucket and replace www.example.com with the URL of the web server from which you're requesting content.

If you configured the CORS rule correctly, you receive a 200 OK response.

Troubleshoot CORS methods

If you encounter unexpected behavior when you access buckets with CORS, try the following:

  1. Use the cURL command to make requests using specific CORS methods by adding the -H "Access-Control-Request-Method: <Method>" flag. This flag specifies the CORS method to be tested. Use the --request OPTIONS flag to perform a preflight check of the request.

    Note: Amazon S3 supports the GET, HEAD, PUT, POST, and DELETE methods.

    curl -i http://mycorsbucket.s3.amazonaws.com/cors-test.html -H "Access-Control-Request-Method: POST" --request OPTIONS -H "Origin: http://www.example.com"
HTTP/1.1 403 Forbidden
x-amz-request-id: 190J4Q6222HA2KZ5
x-amz-id-2: 6oEci3qg88OeoLvBGwkN8K9AGdxyVela8ZKxftXMqyWrtZFfiKMrBwpTAeRiOth8amovJMtAAdA=
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Fri, 19 Nov 2021 18:43:38 GMT
Server: AmazonS3

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessForbidden</Code><Message>CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Request-Headers are not whitelisted by the resource's CORS spec.</Message><Method>POST</Method><ResourceType>OBJECT</ResourceType><RequestId>190J4Q6222HA2KZ5</RequestId><HostId>6oEci3qg88OeoLvBGwkN8K9AGdxyVela8ZKxftXMqyWrtZFfiKMrBwpTAeRiOth8amovJMtAAdA=</HostId></Error>

    Note: Replace mycorsbucket with the name of your bucket and replace www.example.com with the URL of the web server from which you're requesting content.

  2. If the request returns an error, verify that the CORS configuration is set on the bucket. Be sure that you added the required method to the CORS rule on your bucket. If the CORS configuration is set, you see the option to edit the CORS configuration in the Permissions section for bucket in the S3 console.

    aws s3api put-bucket-cors --bucket mycorsbucket --cors-configuration '{"CORSRules" : [{"AllowedHeaders":["Authorization"],"AllowedMethods":["GET","HEAD","POST"],"AllowedOrigins":["http://www.example.com"],"ExposeHeaders":["Access-Control-Allow-Origin"]}]}'

    Note: Replace mycorsbucket with the name of your bucket and replace www.example.com with the URL of the web server from which you're requesting content.

  3. Test the updated CORS rule. If your method works as expected, you receive the following response:

    curl -i http://mycorsbucket.s3.amazonaws.com/index.html -H "Access-Control-Request-Method: POST" -X OPTIONS -H "Origin: http://www.example.com"
HTTP/1.1 200 OK
x-amz-id-2: Cx4kuM31KPVE19woEPRRYxF+85vEWkLk8+M0p6BIb72T550njMnmLtjqRgYzuxKelR0f+cxhFqI=
x-amz-request-id: QBSHV46QK43HGW15
Date: Fri, 19 Nov 2021 18:48:21 GMT
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Methods: GET, HEAD, POST
Access-Control-Expose-Headers: Access-Control-Allow-Origin
Access-Control-Allow-Credentials: true
Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
Server: AmazonS3
Content-Length: 0

    Note: Replace mycorsbucket with the name of your bucket and replace www.example.com with the URL of the web server from which you're requesting content.

  4. Capture the complete request and response with a tool of your choice.

For each request that Amazon S3 receives, you must have a CORS rule that matches the data in your request. Check that your request includes the following:

  • Verify that the request has the Origin header. If the header is missing, Amazon S3 doesn't treat the request as a cross-origin request, and doesn't send CORS response headers in the response.
  • Verify that the Origin header in your request matches at least one of the AllowedOrigins elements in the specified CORSRule. The scheme, host, and port values in the Origin request header must match the AllowedOrigins elements in the CORSRule. For example, suppose you set the CORSRule to allow the origin http://www.example.com. When you do this, https://www.example.com and http://www.example.com:80 origins in your request don't match the allowed origin in your configuration.
  • Verify that the method in your request or preflight request, which you specified in Access-Control-Request-Method, is one of the AllowedMethods elements in the same CORSRule.
  • If a preflight request includes an Access-Control-Request-Headers header, verify that the CORSRule includes the AllowedHeader entries for each value in the Access-Control-Request-Headers header.

Related information

Add or remove HTTP headers in CloudFront responses with a policy

How do I resolve the "No 'Access-Control-Allow-Origin' header is present on the requested resource" error from CloudFront?

How does Amazon S3 evaluate the CORS configuration on a bucket?

Troubleshooting CORS

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English

Related videos

Watch Dan Booth’s video to learn more (6:01)
Watch Dan Booth’s video to learn more (6:01)
AWS OFFICIALUpdated 13 days ago
No comments

Relevant content