ERROR in S3Plugin: AccessDenied: Access Denied

[joshunger]

I'm getting an access denied but my command line tools work executing a similar command of aws s3 sync. What is the best way to debug at this point? Thanks.

[MikaAK]

I'm not to sure. Could be a problem with your region or more. This isn't really a bug and I cannot really help debug this. Closing, If you think this is a bug, please provide more info and reopen.
Thanks,
Mika

[joshunger]

I see the problem. You're setting ACL public-read but my permissions on my upload account only allow PutObject but not PutObjectACL. That's seems like a security concern?

[MikaAK]

It's not really a security concern because primarily you use the things on s3 for display and need public-read. You have a unique use case that I have never come across. The config allows you to set custom s3Options so you can set

{
  s3Options: {ACL: ''}
}

[paolavness]

It would be helpful is this was mentioned somehwere in the documentation. We've spent quite a bit of time debugging this - turns out, for our specific use case where IAM users setup with restricted access, the plugin fails to upload with 'access denied'. setting ACL: '' resolved this - would have been helpful to know this sooner.

[MikaAK]

e901ce7

@paolavness

[hsanjuan]

It's not really a security concern because primarily you use the things on s3 for display and need public-read.

It IS a security concern. Cloudfront supports WAF. WAF allows to whitelist only specific traffic. Bucket policies support allowing access only from Cloudfront, which is the recommended way to do permissions for buckets when using Cloudfront.

Instead of letting the user configure the bucket policies to their needs and using default ACLs (non public), you are overriding them with non-default values, on a per-object basis, in a non-obvious way which silently bypasses any security policies set for the bucket.

[jnoss]

I tested and it looks like ACL is actually a parameter on s3UploadOptions not s3Options - so to override the default ACL it's necessary to set:

s3UploadOptions: {
  Bucket: 'MyBucket'
  ACL: 'private'
},

(or other ACL as desired).

[MikaAK]

Instead of letting the user configure the bucket policies to their needs and using default ACLs (non public), you are overriding them with non-default values, on a per-object basis, in a non-obvious way which silently bypasses any security policies set for the bucket.

As @jnoss pointed out you can override the ACL. For a vast majority of cases ACL: public-read is probably fine, if not change it 😃

[tobinbc]

Just to further this - the default option for S3 is to forcibly deny attempts to make objects public. So without setting ACL:'' uploads will be denied by default. Either do as here, or explicitly enable allowing a public ACL.

[MikaAK]

@tobinbc I've never had that be default did this change recently?! I've used this on countless buckets without explicitly enabling public ACL

[tobinbc]

In theory, yes. https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-amazon-s3-block-public-access/

[MikaAK]

You must specifically enable that though so if you're doing that you should already be aware of its impact!!