Access denied – URL could not be…

[scope]

… accessed 403 permission denied.

Dear S3 Bubble Team,

I found some relvant information in the forum concerning the topic message.
Unfortunatly it did not help.

After encoding a media, having connected it with the cloudfront distribution the failure message appears.

This happens only to one bucket.

Thanks for your support

[s3bubble]

Hi Scope,

Permission issues are almost always down to bucket policies whether they are setup with CloudFront or not.

If your bucket is not setup with Cloudfront then your bucket policy will look like this.

{
  "Version": "2008-10-17",
  "Id": "S3BubbleSecurity",
  "Statement": [
    {
      "Sid": "S3BubbleAllow",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucketname/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "https://s3bubble.com/*",
            "https://media.s3bubble.com/*"
          ]
        }
      }
    }
  ]
}

If you are using Cloudfront on this bucket then you will get a permission denied error. A Cloudfront bucket policy looks like this.

{
  "Version": "2008-10-17",
  "Id": "S3BubbleCloudfrontSecurity",
  "Statement": [
    {
      "Sid": "S3BubbleAllow",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2D99SZTA0Z6XO"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucketname/*"
    }
  ]
}

To update you bucket police go to your CloudFront distributions.
https://s3bubble.com/secure/#/cloudfront

Find the distribution that is attached to your bucket and then select update bucket policy and you should be good to go.

If you use Cloudfront the bucket must have this policy set so allow them to talk to each other,

Best Regards

Sam

[Author]

Posts