[Bug]: Logo will not use private signed url

[SteffenJung]

Link to the documentation page or resource

https://github.com/strapi/strapi/tree/main/packages/providers/upload-aws-s3

Describe the bug

Hi, it seems that the logo and auth-logo defined in the admin panel settings do not use the signed_url if the MediaLibrary is a private aws s3 bucket.
Iam using the plugin(https://github.com/strapi/strapi/tree/main/packages/providers/upload-aws-s3)

The media library works great with the private bucket. It successfully uses the AWS token signed URL. (i can see it in the inspect tool in browser).

If i upload a new logo in the settings and hit save then the logo was successfully uploaded into the bucket but the logo and as i expect also the Auth-logo uses the normal url not that signed_url.
Finally the logo cannot be displayed and it gets the ErrorCode:403.

Additional context

No response

Suggested improvements or fixes

No response

Related issue(s)/PR(s)

No response

[github-actions]

🤖 I've analyzed your question and here's what I found:

Thanks a lot for taking the time to report this and for the clear explanation of your setup with a private S3 bucket — that’s really helpful context.

From the available documentation, private providers are explicitly designed so that assets shown in the Content Manager use signed URLs when isPrivate() returns true and getSignedUrl(file) is implemented. [Private providers] However, the docs do not state that these signed URLs are also used for:

• Admin panel logos (Menu logo / Auth logo) configured via Settings > Global settings > Overview [Customizing the logo]
• Or via the admin app configuration (config.menu.logo, config.auth.logo) [Logos]

So based on the documentation, it looks like:

• Private provider signing is wired for Content Manager assets, not for all admin assets.
• There is no documented behavior guaranteeing that admin logos will use getSignedUrl(file) from a private upload provider. [Private providers]

That means what you’re seeing (logo uploaded to a private bucket, but the admin UI trying to load the raw URL and getting a 403) is very likely a product limitation / bug, not a configuration mistake on your side.

---

Possible workarounds today

Until this is handled natively, a couple of directions you can consider:

1. Use a non‑private location for the admin logos

   Since the logo is only used in the admin UI, you could:

   • Keep your Media Library provider private for content assets.

   • Host the admin logos in a public location (e.g. a public S3 bucket, CDN, or local upload provider) and:

     • Either upload them via the admin UI but with a non‑private provider, or
     • Configure them programmatically in src/admin/app.[js|ts] by importing static files from your repo:

     // ./src/admin/app.js
     import AuthLogo from "./extensions/my-auth-logo.png";
     import MenuLogo from "./extensions/my-menu-logo.png";
     
     export default {
       config: {
         auth: {
           logo: AuthLogo,
         },
         menu: {
           logo: MenuLogo,
         },
       },
       bootstrap() {},
     };

     [Logos]

   This avoids the need for signed URLs for these specific assets.

2. Keep using the private provider for content only

   If you need strict privacy for content assets but can accept public admin logos, you can mix:

   • Private provider for your main Media Library.
   • Public/static assets for admin branding as above.

---

Next steps

From the documentation side, there’s no indication that admin logos are expected to use signed URLs from private providers, so this looks like a core behavior gap rather than a docs issue.

I’d recommend:

• Keeping this issue open as a bug / product behavior so the core team can evaluate adding signed‑URL support for admin logos when a private provider is in use.
• If you’d like to formally request this as an enhancement (e.g. “Admin logos should respect private providers and use getSignedUrl”), you can also submit it on the feedback portal: https://feedback.strapi.io

Tagging for potential core follow‑up: @pwizla (this seems to be a product behavior issue rather than just documentation).

If you’re able to share:

• Your provider configuration (redacted of secrets), and
• Whether you’re on Strapi Cloud or self‑hosted,

that can also help the team reproduce and confirm the behavior more quickly.

📚 Relevant documentation:

• Administration panel - Customizing the logo
• Email - Creating providers
• Favicon
• How to configure SSO providers - Displaying providers logos
• Logos
• Media Library - Code-based configuration
• Media Library providers
• Media Library providers - Configuring providers
• Media Library providers - Creating providers
• Media Library providers - Private providers
• Middlewares configuration - security
• Upload Provider - Configure the Provider
• Upload Provider - Configure the Security Middleware
• Using a custom upload provider with Strapi Cloud
• Why cloud provider plugins stop working after deployment to Strapi Cloud

---

ℹ️ This response was generated automatically. If this doesn't fully answer your question or if you need further assistance, please mention @pwizla in a comment and a human maintainer will help you.

You can also try our interactive AI chat for more detailed assistance.

💡 For feature requests or product feedback, visit feedback.strapi.io.

[SteffenJung]

Solved - Workaround 1 does the trick.
Docs: https://docs.strapi.io/cms/admin-panel-customization/logos