I can't access a private S3 bucket using aws-sdk-s3 gem in a ruby on rails app


We had a working set up with a public S3 buckets. I changed the permission to block all public access and added policies using this guide: https://repost.aws/knowledge-center/ec2-instance-access-s3-bucket

Using AWS-cli im able to post a file to the bucket from the server and the app container. But when using aws-sdk-s3 with Paperclip or ActiveStorage I get an access denied.

Aws::S3::Errors::AccessDenied: Access Denied /gems/aws-sdk-core-3.168.4/lib/seahorse/client/plugins/raise_response_errors.rb:17

Is there a special configuration for a bucket with all public access bloc ?

1 Answer


I'd say to review this from 2 different points of view:

1- Networking If you effectively blocked public access (from the internet), calls from the EC2 instance to the bucket should be using this particular option described in the guide: Private EC2 instance with connectivity to Amazon S3 using a gateway VPC endpoint (https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html). Make sure it is that way and all traffic is flowing internally, without reaching the internet.

2- Permissions Check you are using the same role for both CLI and SDK, or at least make sure both roles have enough permissions to perform the actions you need. For that, take a look at both IAM role/policies and S3 bucket policies. I think these 2 references can help: Making requests using IAM user temporary credentials https://docs.aws.amazon.com/AmazonS3/latest/userguide/AuthUsingTempSessionToken.html Making requests using AWS account or IAM user credentials https://docs.aws.amazon.com/AmazonS3/latest/userguide/AuthUsingAcctOrUserCredentials.html

I hope this helps...

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions