put object via presigned url access denied


Hi team,

I created a pre-signed URL for performing a PUT object operation using the Java SDK and my administrator AWS credentials, subsequently, I aimed to verify its functionality by employing the curl command.

curl -X PUT -T "my_file_name" "the_presigned_url"

I have access denied not sure why, The bucket is private (no deny or allow policy on it, but I used my admin credentials to generate the resigned URL)

Note: Unnecessary use of -X or --request, PUT is already inferred.
*   Trying 532.x5.190.148:443...
* Connected to cxp-document-upload.s3.ca-central-1.amazonaws.com (532.x5.190.148) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.s3.region.amazonaws.com
*  start date: Apr 11 00:00:00 2023 GMT
*  expire date: Jan 15 23:59:59 2024 GMT
*  subjectAltName: host "bucket.s3.region.amazonaws.com" matched cert's "*.s3.region.amazonaws.com"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
> PUT /pocputobjectsf.png\?X-Amz-Security-Token\=IQoJb3JpZ2luX2VjEMX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDGNhLWNlbnRyYWwtMSJHMEUCIQCV6YwM47MJV6qq5ZyExkgRX8%2BiHwIeEVTdLyts%2BpmFxwIgSsodUCbLAtMSVmWqS3QvuWDyRHv3qCKKJcLG2NzYqtkqtQMxxxxxxxxxxxxxxxxxx HTTP/1.1
> Host: bucket.s3.region.amazonaws.com
> User-Agent: curl/7.85.0
> Accept: */*
> Content-Type:imge/png
> Content-Length: 310130
> Expect: 100-continue
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< x-amz-request-id: BBCHGVWVFC2MKG8G
< x-amz-id-2: hVnXvUaDXaI7UQr6mIvcdvPuGpaH+7mmty+jwTyHOm6xxx
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Mon, 28 Aug 2023 15:23:17 GMT
< Server: AmazonS3
< Connection: close
<?xml version="1.0" encoding="UTF-8"?>
* Closing connection 0
* TLSv1.2 (IN), TLS alert, close notify (256):
* TLSv1.2 (OUT), TLS alert, close notify (256):
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>BBCHGVWVFC2MKG8G</RequestId><HostId>hVnXvUaDXaI7UQr6mIvcdvPuGpaH+7mmty+jwTyHOm6UuBMMKL6k4cDToM0m4cAxxxxxxxD8=</HostId></Error>%

furthermore, I used a curl command to download an object using get object resigned URL, I was able to download the object but was not able to open it

I have this message in my laptop:

The file “myfile.png” could not be opened.

It may be damaged or use a file format that Preview doesn’t recognize.

Encryption type = Server-side encryption with Amazon S3 managed keys (SSE-S3)

is there something wrong I did?

any idea why I have access denied although I used admin credentials to generate the resigned URLs?

Tank you!!

1 Answer

There are a couple issues here:

  1. The AccessDenied error when trying to upload indicates the pre-signed URL is not granting the proper permissions. Double check that the IAM principal used to generate the URL has s3:PutObject permission on the bucket/object. Also verify the signature is valid and hasn't expired.
  2. For downloading, the fact you can retrieve the object means the pre-signed URL is working correctly. However, the file being corrupted likely means the object is stored encrypted on S3.
profile pictureAWS
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions