Rails App Upload to Amazon S3 - Access denied

Hello.

Can you share the code you're using?
Judging from the error message, I suspect that you are trying to specify object ACL when uploading an object to an S3 bucket where bucket ACLs are disabled.
If you do not need to control access individually, you generally do not need to use ACLs.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html

A majority of modern use cases in Amazon S3 no longer require the use of ACLs. We recommend that you keep ACLs disabled, except in unusual circumstances where you need to control access for each object individually. With ACLs disabled, you can use policies to control access to all objects in your bucket, regardless of who uploaded the objects to your bucket. For more information, see Controlling ownership of objects and disabling ACLs for your bucket.

Based on the error message and symptoms you've described, it appears that your Rails application is encountering permission issues when trying to upload to Amazon S3. Here are some steps you can take to troubleshoot and potentially resolve the issue:

1. Check your IAM permissions: Ensure that the IAM user or role associated with your Rails application has the necessary permissions to perform S3 operations, particularly s3:PutObject. You may need to review and update the IAM policy attached to your user or role.

2. Verify your S3 bucket settings: Make sure that the S3 bucket you're trying to upload to exists and that its settings allow uploads. Check if there are any bucket policies or Access Control Lists (ACLs) that might be restricting access.

3. Review your application's S3 configuration: Double-check that your Rails application is using the correct AWS credentials, region, and bucket name. Ensure that these details match the S3 bucket you're trying to access.

4. Check for Block Public Access settings: The error message mentions "AccessControlListNotSupported", which could indicate that the bucket has Block Public Access settings enabled. You may need to adjust these settings or modify your upload approach to work within these constraints.

5. Examine your CORS configuration: If you're uploading from a different domain, ensure that your bucket's CORS (Cross-Origin Resource Sharing) configuration is set up correctly to allow requests from your application's domain.

6. Look into the specific S3 client configuration in your Rails app: Make sure you're using the correct SDK version and that it's properly configured to handle the authentication and requests to S3.

7. Check for any Service Control Policies: If you're working within an AWS Organization, there might be SCPs (Service Control Policies) in place that are restricting S3 access.

8. Review CloudTrail logs: If possible, check the CloudTrail logs for your AWS account to see more detailed information about the access denied errors, which could provide additional clues about the specific permissions or settings causing the issue.

If you've gone through these steps and are still encountering issues, you may need to reach out to AWS Support for more detailed assistance, as they can provide account-specific guidance.
Sources
AccessDenied: public access control lists (ACLs) are blocked by the BlockPublicAcls block public access setting. | AWS re:Post
Unable to perform upload to S3 bucket | AWS re:Post
Access denied 403 Error while uploading to S3 bucket in production (Working locally) | AWS re:Post
Troubleshoot 403 Access Denied error in Amazon S3 | AWS re:Post

Hi Riku, Her you have my browser errors from localhost.

Here you have Amazon S3 my config: Here you have I really hope you can figure out what's wrong.

Best regards, Poul Erik Rasmussen

Hello Poul,

Based on the error message and the screenshots you have provided. There's a clear indication that ACLs are disabled in your bucket. And, your Rails application might be trying to set ACL while uploading an object in that bucket. So, check that out and enable the ACLs on the bucket. Next issue I found is with the IAM permissions and bucket policy. There should be a permission to add ACL for objects in your bucket. So, you need to include s3:PutObjectAcl action both on IAM user inline policy that your Rails application is using and the bucket policy as well.This should fix your issue: Aws::S3::Errors::AccessControlListNotSupported in Devise::RegistrationsController

However, the recommended approach is that you keep the ACLs disabled in the bucket and update your Rails application code not to set any ACL while uploading any object. Instead, what you can do is, use the bucket policies to control the permissions for objects by using prefixes and setting what actions are allowed on those objects in the bucket policy itself. While uploading the objects from Rails application, you can set prefix on the objects and bucket policy will handle the permissions.

And, the 404 error you are getting is because you are hitting the url of an S3 object that doesn't exists. 500 Error on the POST request because the uploading the object isn't successful on the server side due to ACLs issue.

Hope this fixes your problem.