Excon::Errors::Forbidden (Expected(200) <=> Actual(403 Forbidden)

[EDIT: I'd default to the other answer at this point, especially if you're in a prod environment. This was a workaround that worked for me while building a breakable toy a few years back, but I agree with granting minimal permissions when security is a concern.]

I was encountering the same error, and the solution was to attach administrative access policies from the AWS Management Console:

1) Sign in to the AWS Management Console at http://aws.amazon.com/iam/

2) Click "Policies" from the Navigation Pane on the left

3) Select the "AdministratorAccess" policy

4) Click Policy Actions > Attach at the top of the page

5) Select the user associated with my S3_ACCESS_KEY, S3_SECRET_KEY, and S3_BUCKET

6) Click "Attach Policy"

Merely granting all permissions from my bucket at https://console.aws.amazon.com/s3/home was not sufficient.


The other answer telling you to grant AdministratorAccess on the IAM user is a bad idea from a security point of view - it will allow anyone with access to those keys to perform any action in your account, including deleting all infrastructure.

I haven't worked out the exact minimum set of permissions that Carrierwave / Fog needs, but a smaller set that I got working looks like:

Create an AWS IAM Policy with a policy document like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::BUCKETNAME/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::BUCKETNAME"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Note, that it is not an error to specify S3 actions on both BUCKETNAME and BUCKETNAME/* - the first relates to API actions that are performed on the bucket, and the second, on stored objects within the bucket.