Skip to content
This repository has been archived by the owner on Nov 3, 2022. It is now read-only.

S3 Backup fails for non us-east-1 region #5

Closed
ambrons opened this issue Oct 18, 2017 · 1 comment
Closed

S3 Backup fails for non us-east-1 region #5

ambrons opened this issue Oct 18, 2017 · 1 comment

Comments

@ambrons
Copy link

ambrons commented Oct 18, 2017

When setting the plan up as follows:

s3:
  url: "https://s3.amazonaws.com/"
  bucket: "bucket-in-ap-southeast-1"
  accessKey: "accessKey"
  secretKey: "secretKey"
  api: "S3v4"

It results in this error during backup:

{"error":"S3 uploading /storage/db/db-1508351867.gz to db/bucket-in-ap-southeast-1 failed `/storage/db/db-1508351867.gz` -\u003e `db/bucket-in-ap-southeast-1/db-1508351867.gz` mc: \u003cERROR\u003e Failed to copy `/storage/db/db-1508351867.gz`. The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'ap-southeast-1' mc: \u003cERROR\u003e Session safely terminated. To resume session `mc session resume bityhPIa` : exit status 1"}

I have also tried setting the url to https://s3-ap-southeast-1.amazonaws.com/, but this too failed for another reason.

{"error":"S3 uploading /storage/db/db-1508350708.gz to db/bucket-in-ap-southeast-1 failed `/storage/db/db-1508350708.gz` -\u003e `db/bucket-in-ap-southeast-1/db-1508350708.gz` mc: \u003cERROR\u003e Failed to copy `/storage/db/db-1508350708.gz`. Amazon S3 endpoint should be 's3.amazonaws.com'. mc: \u003cERROR\u003e Session safely terminated. To resume session `mc session resume zDCASxDp` : exit status 1"}

I see you are using minio to handle the s3 cp. I've tried looking at their existing tickets to see if there's a known issue or a configuration option missing in either your source or theres for specifying a region.

This closed ticket would suggest that it should just work. minio/minio-java#494

Any thoughts you could provide would be most appreciated.
@ambrons
Copy link
Author

ambrons commented Oct 18, 2017

Actually turned out to be S3 permissions issue with the policy associate with the aws access key:

I left out s3:GetBucketLocation originally.

Example of working policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket/*"
            ]
        }
    ]
}

@ambrons ambrons closed this as completed Oct 18, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ambrons