I have an application that uploads videos to an S3 bucket, and then creates a custom policy to allow another user (for the Zencoder service) to grab the files, and upload the transcoded files back into the bucket.
Below is the current custom policy I give to the user during transcoding. Basically I give full read permission to the entire bucket, but I only allow the user to PUT files into a specific nested folder.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToListContentsOfBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::MY-BUCKET"
]
},
{
"Sid": "AllowUserToListContentsOfBucketFolders",
"Effect": "Allow",
"Action": [
"s3:ListBucketMultipartUploads",
"s3:GetObjectAcl",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::MY-BUCKET/*"
]
},
{
"Sid": "AllowUserS3ActionsOfSpecificFolder",
"Effect": "Allow",
"Action": [
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::MY-BUCKET/some/nested/folder/*"
]
}
]
}
This works for the most part, but in the ~1,000 files transferred over by Zencoder, there's usually one or two that fail with a 403 Forbidden error. I'm not sure why, since files were correctly transferred both before and after the error.
Is there any reason Amazon AWS S3 / IAM would send a 403 Access Denied when such a permission is provided?