problem with S3 auth token

[farschmessivo]

Hi guys,

Apparently, I can't upload images through dashboard although S3 on Heroku is set up correctly

Thanks

[cobyism]

@farschmessivo I saw you commented in #18, so I just wanted to clarify that the S3 settings I described in that issue are for allowing public read, and are not sufficient to allow an authenticated ghost blog’s S3 client to write to the S3 bucket. For that, you’ll need to set up the correct bucket access policies, users, and groups (if using IAM) to allow your client’s id/secret key pair to be able upload images.

I also notice that according to this page of the AWS documentation an error of 503 (Service Unavailable) could indicate that you’re hitting a rate error. I realise this is probably unlikely, but it’s worth double-checking?

[shea256]

I'm also having this problem. I even tested it with AWS root credentials and it doesn't work. Any advice?

[cobyism]

Bummer to hear that other people are running into this too. I still haven’t been able to reproduce this myself 😣. Other than the dependency on muzix/ghost-s3, the only code in this project that could be affecting this is this code here, so there’s only a limited amount of things it could be. If it’s not an issue with the code here, it might be worth opening an issue on the ghost-s3 repo?

[shea256]

OK thank you, I'll open an issue there too.

[RobertSasak]

I think I had a similar problem which I solved by creating bucket in US Standard region. Please try to create your bucket in US Standard and report back.

[shea256]

OK I'll try that. Should the value of S3_BUCKET_REGION be "US Standard"? Spelled out with spaces just like that?

[cobyism]

Should the value of S3_BUCKET_REGION be "US Standard"? Spelled out with spaces just like that?

You’ll probably want to use the us-east-1 or eu-west-1 etc. format. A full list of the S3 regions are available here.

I think I have a similar problem which I solved by creating bucket in US Standard region.

If there’s region issues with this, it might also be worth trying to change the region you choose for the Heroku deployment too?

[cobyism]

/cc @rstrangh Since you added the region config variable in #19, do you have any idea what might be going on here?

[shea256]

OK thank you it's working now. The problem is I didn't have the right S3_BUCKET_REGION slug. I wasn't aware that these even existed, so maybe we want to clarify somewhere that these need to be looked up and used, as opposed to the plaintext names that Amazon lists in the "properties" menu of the bucket.

[cobyism]

maybe we want to clarify somewhere that these need to be looked up and used, as opposed to the plaintext names that Amazon lists in the "properties" menu of the bucket.

👍 Yep, good call. I’ll look at adding that to the docs 🔜

[shea256]

Woot!

[brandontle]

What should go in the S3_ASSET_HOST_URL entry?

[holic]

@brandontle I believe it's optional, see #22

[cobyism]

What should go in the S3_ASSET_HOST_URL entry?

Yep, it’s optional—you’ll only need that if you have a custom CDN domain alias set up for your S3 bucket. We definitely need to update the README to better document the various environment variables and what goes in them. Hoping to get to that 🔜 😅

[brandontle]

Got it, thanks!

[andy-williams]

@cobyism Ran into this issue too when I was setting it up, had to read the log to find out what went wrong. Adding a step by step guide in the README will definite help a lot. This Project is amazing by the way 👍 I'll be keeping an eye out for anything I can help out with.

Edit: I found this blog post very useful for setting up S3 http://blog.kida.io/ghost-on-heroku/

[cobyism]

@andy-williams 👍 Thanks for chiming in. I updated the README a week or so ago (see 745daa3) in attempt to make the S3-related environment variable usage clearer. Can you say more about what would have helped you that’s not outlined under the S3 configuration section?

I’d ❤️ for the documentation to capture the things people find most confusing, so if anyone has suggestions, please open a new issue (or even better, send a PR to improve the README) and we can talk about specific improvements separately.

@farschmessivo since I haven’t heard back, I’m going to go ahead and close this issue, as other people seem to have resolved the same issue you experienced. Feel free to reopen if your original issue isn’t resolved by the comments in this thread. 🙇

[garciadanny]

I'm getting a 403 "Access denied" error.

My region is Oregon, so I supplied us-west-2, according to these aws docs.

My bucket policy looks like this:

{
  "Id": "Policy45435435435",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt14694354353",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket",
      "Principal": {
        "AWS": [
          "arn:aws:iam::9084334333:user/some-user"
        ]
      }
    },
    {
      "Sid": "Stmt146943543543543377",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::908943504535433:user/some-user"
        ]
      }
    }
  ]
}

Also added this to the policy but didn't work:

    {
      "Sid": "Stmt147435545180",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Principal": "*"
    }

I used the official policy generator to create it and followed the steps on this aws blog post.

But I'm still getting the error. I then went to the IAM console and created a similar policy pointing to my bucket and added it for my user. But still, same error message.

Any idea what I'm doing wrong?

[garciadanny]

I figured out why it wasn't working. For anyone else out there who still can't figure this out, I actually didn't need to add a bucket policy within s3 at all. I just created an IAM user and gave them this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt13242300",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*"
            ]
        }

This allows me to read/write to the bucket with no problem. Unlike all the blog posts I've read, it won't work without s3:PutObjectAcl. Also, when creating the bucket, I had to change the region to US Standard which I believe is us-east-1. According to the aws docs, US Standard us-east-1 maps to s3.amazonaws.com which is the endpoint that ghost-s3 hits