Franky_frankly Franky_frankly - 3 months ago 74
ASP.NET (C#) Question

Amazon S3: GetObject Request throwing an exception "Access denied" 403

I've just started to work with Amazon S3 in my ASP.NET project. I can upload images, delete them, and show on browser. But when I was trying to get image-object from code-behind by a simple GetObjectRequest to load it to a simple stream, I've got an exeption "Access denied: The remote server returned an error: (403) Forbidden.". And it's very strange 'cause i can delete an object but have no access to get it?

Here is my Get Request code:

using (var client = new AmazonS3Client(Amazon.RegionEndpoint.EUWest1))
{
GetObjectRequest request = new GetObjectRequest
{
BucketName = bucketName,
Key = keyName
};
GetObjectResponse response = client.GetObject(request);
return response.ResponseStream;
}


Which doesn't work.
And this DELETE request works correct

DeleteObjectRequest deleteObjectRequest = new DeleteObjectRequest
{
BucketName = bucketName,
Key = keyName
};
client.DeleteObject(deleteObjectRequest);


I think that it could be a problem with my bucket policy, but i don't understand what exactly



{
"Version": "2008-10-17",
"Id": "Policy1437483839592",
"Statement": [
{
"Sid": "Stmt1437483828676",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::ama.dyndns.tv/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"MyIP",
"MyTeammateIP"
]
}
}
},
{
"Sid": "Givenotaccessifrefererisnomysites",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::ama.dyndns.tv/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"MyIP",
"MyTeammateIP"
]
}
}
}
]
}



Answer

Your first bucket policy statement allows a GET request when the Referer: http request leader's value is present and matches one of the supplied values. (Note that this is is a very primitive access control mechanism, as the header is easily forged).

The second policy denies requests where the referer doesn't match any value from the supplied list.

The referer is nothing more than a request header sent by the browser or http user agent library. When you are sending your GET request from code, there's not going to be a referer header present, unless you forge one yourself, as part of the request. Any matching Deny policy overrides not only any matching Allow policy... it also overrides any authentication credentials you supply. Hence, the problem.

If you don't set the acl on the object to something that allows public access (such as x-amz-acl: public-read) then the Deny policy is unnecessary. The object will not be downloadable in that case, because the deny is implicit unless the Allow policy is matched or you provide valid authentication credentials. Everything is denied by default in S3 unless you allow it via the object permissions/acl, bucket policy, or IAM user policy, and even if you do, a matching explicit Deny always prevails.

Comments