S3 Provider fails to upload #1618
Comments
|
Could you please specify version of electron-publisher-s3? And try to use latest electron-builder? |
|
I originally missed the
|
|
Closing b/c increased permissions seems to have resolved it. |
|
Reopened — question "Can you confirm the minimal permissions for the S3 provider?" is not answered, we must do something smart to save user's time. |
|
Same problem here, what are the minimal working permissions? |
|
In case this helps anyone, I had a similar symptom that was caused by using a non-default AWS profile. The |
|
@dsagal and @develar that's what we ended up with after trailing the CloudTrail logs for the requests issued by the {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAppS3Releases",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::release-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::release-bucket"
]
}
]
}notice the |
|
@romanrev Thanks (official docs: http://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html) |
|
thanks @develar yes, that's what we looked at after we saw the |
|
To everyone coming from the docs who is as stupid as I am: You have to change your bucket-name in these permissions … |
|
I needed |
|
I also needed |
|
@kalokiston @PriscilaAlves Do you have your bucket in a region besides the default US East (N. Virginia)? I didn't need to add the |
|
Thanks for the policy example! What do you all use for your |
|
@mlynch you have two options
Then add the user to the policy. I named my iam user "Sid": "Stmt123456789",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:user/ci_server"
},walkthrough: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html |
|
Thanks, though there are two operations here. It seems you want to allow read access to everyone (so users can see and download new versions), but only write access to an IAM user, correct? That would mean two separate principal options? |
|
@mlynch If you want to give users direct access to your bucket, then yeah, you'd need to set up those two levels of access. But I recommend using cloudfront. The data transfer pricing is cheaper than having users download directly from s3. And when you set up cloudfront, it'll ask to add a policy to the bucket for you. Here are some articles that led me to this conclusion: https://medium.com/devopslinks/this-is-how-i-reduced-my-cloudfront-bills-by-80-a7b0dfb24128 https://www.expatsoftware.com/articles/2009/01/cloudfront-costs-compared-to-s3.html |
|
Awesome thanks so much! Also probably better download performance for users around the globe I’d imagine |
|
You're welcome :-). Yeah you'll get way better download performance since your app will be distributed across the edge network, and will be much closer to your users. One thing to keep in mind -- distributing to cloudfront is not immediate. I've seen an average of 20-30 min for full availability. So if you want to test publishing, use minio server like the guide suggests. The cloudfront url is static, so it doesn't affect publishing. |
|
Thanks for the policy guide! I wanted to add that apart from setting I also had to uncheck the
EDIT: I also had to uncheck the second option |
|
@JM-Mendez, if I use CloudFront for serving my updates, how do I configure the electron-updater inside my app to use the CloudFront URL instead of trying to access S3 directly? |
Using What is the correct way? |
|
@erikjalevik this is how I did it. Are you sure you're calling electron-builder/packages/electron-updater/src/AppUpdater.ts Lines 183 to 185 in 2c674df electron-builder/packages/electron-updater/src/AppUpdater.ts Lines 191 to 205 in 2c674df |
|
Sorry to bother u again with this issue, but i can't upload to S3 I always get the error like the issue opener. |
|
I was able to get this working for a private bucket after setting ACL to 'private': |
This worked for me, thanks! |
|
I have setup my iam user to have full AWS access and setup the bucket to allow ACLs, however, I still get the following error when I try to build unless 
Setting In my import { autoUpdater } from "electron-updater"
autoUpdater.on('update-downloaded', (event) => {
const dialogOpts = {
type: 'info' as const,
buttons: ['Restart', 'Later'],
title: 'Application Update',
message: String(process.platform === 'win32' ? event.releaseNotes : event.releaseName),
detail: 'A new version has been downloaded. Restart the application to apply the updates.'
}
dialog.showMessageBox(dialogOpts).then((returnValue) => {
if (returnValue.response === 0) autoUpdater.quitAndInstall()
})
})
autoUpdater.on('error', (message) => {
console.error('There was a problem updating the application')
console.error(message)
})When I run this I get a 403: I suppose we can get around this by baking in the AWS keys into the main process, but idk how I feel about baking in credentials into the build. Alternatively I've seen people discuss using a server to pass credentials to the app, but I don't need a server for anything else so that seems excessive. Are the only options here to either make the bucket completely public OR bake in some limited credentials to access the bucket? Are there any best practices here? |
I'm using the S3 provider. I can confirm my ENV vars are set properly by successfully uploading via the command line using the
awstool. However, when I go to publish I get:The text was updated successfully, but these errors were encountered: