1

When I use a custom policy below, I get the following error when uploading large files (1G and over) using cyberduck

file access denied. please contact your web hosting service provider for assistance

However uploading small files (around 200M) is not an issue, also I have no issue creating new folders and files with cyberduck and the same login credentials. So the I definitely have a read/write access.

Also if I add a pre defined policy (AmazonS3FullAccess), then uploading of large files also works OK. I'm a bit lost here. How is my policy restricts large file uploads? What am I missing?

my policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::photoshoot2016"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::photoshoot2016/*"
        }
    ]
}

AmazonS3FullAccess policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
Improve this question

1 Answer 1

Reset to default
3

I kept digging around and found that Amazon recommends to use multipart uploads for all files over 100M (http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html), which I guess what cyberduck is done.

All I had to do in the end is to add missing permissions (ListMultipartUploadParts and ListBucketMultipartUploads) to enable the multipart uploads. Now my policy looks like this 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListMultipartUploadParts"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListMultipartUploadParts",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": "arn:aws:s3:::photoshoot2016"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::photoshoot2016/*"
        }
    ]
}

I found the main clue by enabling bucket logging which which had a lot of "AccessDenied 243" errors for REST.GET.UPLOADS. Amazon's Policy Simulator came very useful as well to figure out what was missing and where it should be placed.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .