Search code examples
rubyamazon-s3carrierwavefogamazon-iam

Why do my S3 uploads with Fog via Carrierwave fail since switching to public by default?

I tried to configure CarrierWave so that S3 uploads would be public.

So I changed my original config setup:

config.fog_credentials = {
  :provider               => 'AWS',
  :aws_access_key_id      => ENV['AWS_ACCESS_KEY_ID'],
  :aws_secret_access_key  => ENV['AWS_SECRET_ACCESS_KEY'],
  :region                 => 'eu-west-1'
}
config.fog_directory  = 'com-blabla-bloblo'
config.fog_public     = false
config.fog_attributes = {'Cache-Control'=>'max-age=315576000'}

Just to set:

config.fog_public     = true

Since this change, I can't upload images any more getting the following error:

2015-07-21T12:41:39.868983+00:00 app[web.1]: Excon::Errors::Forbidden (Expected(200) <=> Actual(403 Forbidden)
2015-07-21T12:41:39.868984+00:00 app[web.1]: excon.error.response
2015-07-21T12:41:39.868986+00:00 app[web.1]:   :body          => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>XXX</RequestId><HostId>YYY</HostId></Error>"
2015-07-21T12:41:39.868987+00:00 app[web.1]:   :headers       => {
2015-07-21T12:41:39.868988+00:00 app[web.1]:     "Connection"       => "close"
2015-07-21T12:41:39.868989+00:00 app[web.1]:     "Content-Type"     => "application/xml"
2015-07-21T12:41:39.868991+00:00 app[web.1]:     "Date"             => "Tue, 21 Jul 2015 12:41:38 GMT"
2015-07-21T12:41:39.868992+00:00 app[web.1]:     "Server"           => "AmazonS3"
2015-07-21T12:41:39.868993+00:00 app[web.1]:     "x-amz-id-2"       => "ZZZ"
2015-07-21T12:41:39.868994+00:00 app[web.1]:     "x-amz-request-id" => "ZZZ"
2015-07-21T12:41:39.868995+00:00 app[web.1]:   }
2015-07-21T12:41:39.868997+00:00 app[web.1]:   :local_address => "aaa.bbb.ccc.ddd"
2015-07-21T12:41:39.868998+00:00 app[web.1]:   :local_port    => 41659
2015-07-21T12:41:39.868999+00:00 app[web.1]:   :reason_phrase => "Forbidden"
2015-07-21T12:41:39.869000+00:00 app[web.1]:   :remote_ip     => "aaa.bbb.ccc.ddd"
2015-07-21T12:41:39.869001+00:00 app[web.1]:   :status        => 403
2015-07-21T12:41:39.869002+00:00 app[web.1]: ):
2015-07-21T12:41:39.869004+00:00 app[web.1]:   app/controllers/image_uploads_controller.rb:25:in `create'

I suspect this has to do with the IAM profile of my AWS user which is: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::com-foo-bar"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::com-foo-bar/*"]
    }
  ]
}

The app host is Heroku.

Any idea how to fix this?

Solution

  • It seems that this policy fixes things:

    {
    "Statement": [
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::com-foo-bar",
                "arn:aws:s3:::com-foo-bar/*"
            ],
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*",
            "Condition": {}
        }
    ]
}