fog: 403 aws access denied

Hey, I’ve been trying to upload images to aws with carrierwave, currently I’m getting this error

Excon::Errors::Forbidden: Expected(200) <=> Actual(403 Forbidden)
  response => #<Excon::Response:0xd91cd0c @data={:body=>"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>34A7FEEC4AA9B144</RequestId><HostId>+pwgviyQ1kSSmtYrsoxu5i4oyqqwO2HSAbAeCCLqKa4IxWgWpPiPDMT3n+jOkmO9</HostId></Error>", :headers=>{"x-amz-request-id"=>"34A7FEEC4AA9B144", "x-amz-id-2"=>"+pwgviyQ1kSSmtYrsoxu5i4oyqqwO2HSAbAeCCLqKa4IxWgWpPiPDMT3n+jOkmO9", "Content-Type"=>"application/xml", "Transfer-Encoding"=>"", "Date"=>"Thu, 20 Feb 2014 00:55:57 GMT", "Connection"=>"close", "Server"=>"AmazonS3"}, :status=>403, :remote_ip=>"207.171.163.152"}, @body="<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>34A7FEEC4AA9B144</RequestId><HostId>+pwgviyQ1kSSmtYrsoxu5i4oyqqwO2HSAbAeCCLqKa4IxWgWpPiPDMT3n+jOkmO9</HostId></Error>", @headers={"x-amz-request-id"=>"34A7FEEC4AA9B144", "x-amz-id-2"=>"+pwgviyQ1kSSmtYrsoxu5i4oyqqwO2HSAbAeCCLqKa4IxWgWpPiPDMT3n+jOkmO9", "Content-Type"=>"application/xml", "Transfer-Encoding"=>"", "Date"=>"Thu, 20 Feb 2014 00:55:57 GMT", "Connection"=>"close", "Server"=>"AmazonS3"}, @status=403, @remote_ip="207.171.163.152">
from /home/a/.rvm/gems/ruby-2.0.0-p353@i/gems/excon-0.31.0/lib/excon/middlewares/expects.rb:6:in `response_call'

I tried updating gems and I’m in the latest version, I also check other posts about that error but nothing seems to work, do I missing something?

About this issue

  • Original URL
  • State: closed
  • Created 10 years ago
  • Comments: 36 (14 by maintainers)

Most upvoted comments

I don’t think amazon could have created a more overly engineered permission system if they tried.

+9
raldred on Feb 21, 2017

Had similar issue which I solved by setting bucket policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "S3:*",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::bucketname",
            "Condition": {}
        }
    ]
}
+9
szajbus on Oct 21, 2016

Hey everybody, I know this issue is closed, but I did run into something very similar to this and it turns out it was due to the default settings on the Amazon S3 Buckets. I think they must have changed this somewhere along the line.

Anyway, my basic fix was to NOT block public acl objects by going to the “Permissions” tab on your bucket.

I’ve detailed my full fix here: https://www.bitesite.ca/blog/fixing-rails-carrierwave-amazon-s3-403-forbidden-error

+5
caseyli on Mar 14, 2019

@szajbus thank you, your solution worked for me. I had to additionally specify a "Resource" on the bucket policy, which in my case was the IAM account ARN (more info in the docs for anyone else who it may help)

And thank you @raldred for the heads-up on the DeleteObject permission!

+1
timparkerdev on Jun 13, 2018

@szajbus Aren’t you enabling everyone in the world to do anything to that bucket with that policy?

+1
abuisman on Mar 29, 2017

I had the same issue but for me both production and development didn’t work when I used the latest fog version together with rails 4.2.0

I had an old code base for another project with rails 4.1.1 and fog 1.3.1 where the same credentials did work. I just solved it for the moment by using the same 4.1.1 and fog 1.3.1 gem version for my new project…

+1
ploomans on Mar 4, 2015
Read more comments on GitHub
← PropertyChanged: Could not inject EventInvoker method on type
fog-aws: Doesn't work after upgrading to 0.1.2 →