403 Forbidden Error for Images hosted in S3
Please help me how to resolve this 403 Forbidden error on my images stored in S3. I already checked this resource: https://repost.aws/knowledge-center/s3-403-forbidden-error in the knowledge base but nothing has changed. The IAM role has the full S3 access, the "Block Public Access" is turned off, I have the following in stated in the bucket policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::4177xxxxxxxx:role/PinoyAgriSite-Role"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-ap-southeast-1-4177xxxxxxxx",
"arn:aws:s3:::elasticbeanstalk-ap-southeast-1-4177xxxxxxxx/resources/environments/*",
"arn:aws:s3:::elasticbeanstalk-ap-southeast-1-4177xxxxxxxx/S3-Uploads-Media/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-ap-southeast-1-4177xxxxxxxx"
}
]
}
I have the following in the CORS:
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET"
],
"AllowedOrigins": [
"https://pinoyagri.com"
],
"ExposeHeaders": [],
"MaxAgeSeconds": 3000
}
]
I also have the necessary permissions in ACL, I didn't set up for AWS KMS, I don't use AWS Organizations, and I also don't have settings in the policy that deny uploading to my bucket. Any idea what am I missing? Thanks!
- 최신
- 최다 투표
- 가장 많은 댓글
Hello.
Could you please share the full text of your S3 bucket policy?
Also, have you checked what kind of error occurs when accessing S3 from the website?
Public block access is also an account-level setting, so please make sure it is turned off by following the steps in the document below. https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-account.html
Thank you for guiding me Riku! I checked again and I can see that "Block Public Access" is completely turned off overall. As for the error, I checked the www-error.log and this is what I found "[06-Oct-2023 01:07:12 UTC] PHP Notice: getimagesize(): Error reading from s3://elasticbeanstalk-ap-southeast-1-417xxxxxxxxx/S3-Uploads-Media/uploads/2023/10/composer-258.png! in /var/app/current/wp-includes/media.php on line 5307 [06-Oct-2023 01:07:13 UTC] PHP Notice: exif_imagetype(): Error reading from s3://elasticbeanstalk-ap-southeast-1-417xxxxxxxxx/S3-Uploads-Media/uploads/2023/10/composer-258.png! in /var/app/current/wp-includes/functions.php on line 3268 [06-Oct-2023 01:07:13 UTC] PHP Notice: getimagesize(): Error reading from s3://elasticbeanstalk-ap-southeast-1-417xxxxxxxxx/S3-Uploads-Media/uploads/2023/10/composer-258.png! in /var/app/current/wp-includes/media.php on line 5305 [06-Oct-2023 01:07:13 UTC] PHP Notice: exif_imagetype(): Error reading from s3://elasticbeanstalk-ap-southeast-1-417xxxxxxxxx/S3-Uploads-Media/uploads/2023/10/composer-258.png! in /var/app/current/wp-includes/functions.php on line 3268 [06-Oct-2023 01:07:13 UTC] PHP Notice: getimagesize(): Error reading from /tmp/composer-258-UYJzqn.tmp! in /var/app/current/wp-includes/media.php on line 5307 [06-Oct-2023 01:07:13 UTC] PHP Notice: exif_imagetype(): Error reading from /tmp/composer-258-UYJzqn.tmp! in /var/app/current/wp-includes/functions.php on line 3268"
When I checked in the browser developer console, I see the status code is "403 Forbidden". When try to load the URL: https://elasticbeanstalk-ap-southeast-1-4177xxxxxxxx.s3.amazonaws.com/S3-Uploads-Media/uploads/2023/10/guest-details.png in the browser, this is the result "<Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>xx2WD9xxxxxxxxxx</RequestId> <HostId>xxxxxxxxxxxx6zZHZpxbNzmayWD992000fVfk0eavQVUvwDXgSW/Q/2qBT6xrc14xxxxxxxxxxx=</HostId> </Error>"
Thank you for checking the log. What happens once I try to delete the bucket policy? If you can now display images after deleting the bucket policy, there is a problem with the bucket policy.
To access this object URL, you need to set the bucket policy to allow getobject from all sources.