CORS problem

[rodrigoreis22]

Hi,

I configured both permissions and CORS as oriented on the documentation.. but I still get the error:

"XMLHttpRequest cannot load https://[bucket name suppressed here].s3.amazonaws.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access."

Any ideas?

[rodrigoreis22]

I solved this by adding the following policy:

{
"Version": "2008-10-17",
"Id": "Policy1410316754092",
"Statement": [
{
"Sid": "Stmt1410316750357",
"Effect": "Allow",
"Principal": {
"AWS": ""
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::[bucket name here]/"
}
]
}

Granting access to Everyone on the permissions checkboxes didn't work.

[nukulb]

@rodrigoreis22 you are getting this error despite adding the cors file?
Can you explain once how you added it?

    <?xml version="1.0" encoding="UTF-8"?>
      <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
          <CORSRule>
              <AllowedOrigin>*</AllowedOrigin>
              <AllowedMethod>GET</AllowedMethod>
              <AllowedMethod>POST</AllowedMethod>
              <AllowedMethod>PUT</AllowedMethod>
              <AllowedHeader>*</AllowedHeader>
          </CORSRule>
      </CORSConfiguration>

[rodrigoreis22]

I added the CORS configuration on the Edit CORS policy button.. and I created a new row in permissions grating to "Everyone" permission to the bucket. But it didn't work.
It only worked when I added the security policy above on the bucket.

[nukulb]

I can't seem to reproduce this, can I get a screenshot of the edit Cors Configuration, are you sure it was saved properly?

Can you remove the policy you added and then simply add crossdomain.xml file in the root of the bucket?

Put the following content in your crossdomain.xml in the root of your S3 bucket.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*" secure="false" />
</cross-domain-policy>

[rodrigoreis22]

I did something different instead, more secure I think:
I created an IAM user called fileuploader and this user will only have permissions to the bucked I defined. And on the bucket I created a policy granting Put access only to the fileuploader user. And I changed my CORS to be more restrict.

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>http://myhost.com</AllowedOrigin>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <ExposeHeader>x-amz-server-side-encryption</ExposeHeader>
        <ExposeHeader>x-amz-request-id</ExposeHeader>
        <ExposeHeader>x-amz-id-2</ExposeHeader>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

Security policy:

{
    "Version": "2008-10-17",
    "Id": "Policy14105765660",
    "Statement": [
        {
            "Sid": "Stmt14105765609",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[iam user id]:user/fileuploader"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::[your bucket name]/*"
        }
    ]
}