Issues with R2 signed URLs (403 Forbidden)
I made a new R2 bucket with CORS allowing all origins to GET and PUT. Additionally, I have the R2 API key allowing all IPs to Read & Write.
When I generate the Signed URL using the V3 JS AWS API, I set it to last 60 seconds.
Despite all of this, I keep getting 403: Forbidden errors when trying to PUT any sort of files to the Signed URL.
7 Replies
Can you share the CORS policy you have set? I usually start with something like this: https://github.com/harshil1712/nextjs-r2-demo/blob/main/cors.json
and scope it down.
GitHub
nextjs-r2-demo/cors.json at main · harshil1712/nextjs-r2-demo
Upload images to Cloudflare R2 via the Workers API, Pre-signed URL, or Temporary Credentials - harshil1712/nextjs-r2-demo
This is my CORS policy:
But I've also tried replacing "AllowedOrigins" with "*" for put, and it had the same effect
Also I just tried the cors config you linked (with the port replaced) and it still throws a "403: Forbidden" error
My bad, I just saw that it is a 403 error. Can you verify that you are using the correct credentials?
Yeah I am, because forming the signed URL also uses credentials and it works just fine
signing is an offline operation, you can pass anything into it and it'd spit out anything
it's only when the presigned is used are the credentials used to sign it verified, would check the api token didn't expire/has proper scope/etc
Ah I see
Let me screenshot my credential parameters
Oh wow, I have no idea why but when going to my R2 token and clicking edit, it only had "Read Object" access and also had an expiry date.
I'm 100% positive that I made it Read & Write and set it to never expire. I made the token last night.
Switching the token back to "Read & Write" fixed everything.
The weird thing is, I had the token with R&W perms yesterday, but it still threw 403s. Did Cloudflare have some R2 related issues yesterday?
Yeah, looks like there was an issue yesterday: https://www.cloudflarestatus.com/incidents/cpb12qjp2k6w