[AWS] “Aws :: S3 :: Errors :: AccessDenied in 〇〇sController # create” error (not saved in AWS S3)

error contents

I implemented it so that image data can be saved using AWS S3,

1. Error in local environment
2. Error in production environment
3. No data (not stored) in the bucket on AWS S3 Event occurred.

Local environment ↓

Production environment ↓

Terminal log when an error occurs ↓

Setting status when an error occurs

--macOS Catalina version 10.15.7

• Rails Rails 6.0.3.4 --Deploy using Heroku --I just created three new AWS accounts, IAM users, and S3 buckets.

Solved method (conclusion)

When I performed "Delete AWS account-> Recreate", the error was resolved. (Can be saved)

Supplementary solution

--Google had a system failure when creating an AWS account. ――I asked the mentor to see it, and even though there were no typos or omissions in the description, I couldn't save it. --The situation where you cannot save for more than a day after creating a new account has continued. (It will not be reflected even after a while) --When you delete your AWS account and re-register, you will not be able to use it, probably because you can resume your previously registered email address within 90 days. (You have to select something other than the previous email address) -I tried the here method, but it didn't work this time.

Confirmation work before recreating an AWS account

(1) Is the bucket policy on AWS appropriate?

Results: Both ① and ② were appropriate.

{
   "Version": "2012-10-17",
   "Id": "Policy1544152951996",
   "Statement": [
       {
           "Sid": "Stmt1544152948221",
           "Effect": "Allow",
           "Principal": {
               "AWS": "① Describe the ARN of this IAM user here"
           },
           "Action": "s3:*",
           "Resource": "arn:aws:s3:::② Describe the bucket name this time here"
       }
   ]
}

(2) Is the bucket setting for block public access appropriate?

Result: Appropriate.

(3) Is the save destination appropriate on the VS code?

Result: Appropriate.

It's OK because it is : amazon. (Development environment)

config/environments/development.rb

  # Store uploaded files on the amazon file system (see config/storage.yml for options).
  config.active_storage.service = :amazon

It's OK because it is : amazon. (Production environment)

config/environments/production.rb

  # Store uploaded files on the amazon file system (see config/storage.yml for options).
  config.active_storage.service = :amazon

It's OK because the part corresponding to "this bucket name" was correct.

config/storage.yml

amazon:
  service: S3
  region: ap-northeast-1
  bucket:This bucket name
  access_key_id: <%= ENV['AWS_ACCESS_KEY_ID'] %>
  secret_access_key: <%= ENV['AWS_SECRET_ACCESS_KEY'] %>

(4) Are the environment variables appropriate?

Result: Appropriate.

How to check environment variables (when MacOS is Catalina or later)

terminal

vim ~/.zshrc

--Close with : wq. --If you make a mistake, press i to edit, press esc, and then close with : wq.

Console confirmation

--Launch with rails c. --Enter the variable name described in storage.yml.

That's all for the confirmed contents.

Recreate AWS account (root user)

As mentioned above, I confirmed it, but it seems that there is no error. The hypothesis I can think of was "I was just registering for an account when Google wasn't working well," so I decided to recreate my account.

1. Check if billing is zero
2. Delete Bucket (https://docs.aws.amazon.com/ja_jp/AmazonS3/latest/user-guide/delete-bucket.html)
3. Delete IAM user (None because it was created in association with the root user this time)
4. Delete AWS Account (Root User) (https://aws.amazon.com/jp/premiumsupport/knowledge-center/close-aws-account/) (Supplement) The link destination is the same as 1.

After recreating AWS

--Reset environment variables --Reset the bucket policy Is required.

Impressions

――In this case, the causal relationship is not clear, but I learned that "it is better not to create an account before and after a system failure". ――This time, I just created a new account, and although it takes time to recreate it, I was lucky because I hadn't made any other settings that would be a problem if it disappeared. ――Since I created it twice, it was a review of AWS creation.

that's all. I hope it will be a solution for those who are similarly in trouble. (If you make a mistake, please let me know!)