Contrib.social

Unable to get S3FS working with IAM

Open on Drupal.org →
Created on 26 May 2023, over 1 year ago
Updated 15 August 2023, over 1 year ago

Problem/Motivation

Unable to get S3FS working with AWS IAM Role

Steps to reproduce

We're trying to use S3FS running with IAM Role. Although we're able to connect to the account via AWS CLI from the cluster, S3FS is not picking up the credentials either from the environment or custom INI file.

Below is the error we see during the "Validate" step:

Unable to validate your s3fs configuration settings. Please configure S3 File System from the admin/config/media/s3fs page or settings.php and try again.
An unexpected error occurred. Error executing "PutObject" on "https://XXXXX.s3.us-east-2.amazonaws.com/s3fs-tests-results/write-test-2..."; AWS HTTP error: Client error: `PUT https://XXXXXX.s3.us-east-2.amazonaws.com/s3fs-tests-results/write-test-...` resulted in a `403 Forbidden` response: <?xml version="1.0" encoding="UTF-8"?> AccessDeniedAccess DeniedRVD3M0 (truncated...) AccessDenied (client): Access Denied - <?xml version="1.0" encoding="UTF-8"?> AccessDeniedAccess DeniedRVDPV9BNJK/mDRIaZJdEEo=
Unable to listObjectVersions. Is listObjectVersions supported by your bucket? Error executing "ListObjectVersions" on "https://XXXXXX.s3.us-east-2.amazonaws.com/?versions&max-keys=1"; AWS HTTP error: Client error: `GET https://XXXXXXX.s3.us-east-2.amazonaws.com/?versions&max-keys=1` resulted in a `403 Forbidden` response: <?xml version="1.0" encoding="UTF-8"?> AccessDeniedAccess DeniedRVDA6C (truncated...) AccessDenied (client): Access Denied - <?xml version="1.0" encoding="UTF-8"?> AccessDeniedAccess DeniedRVDZN4H3qTxuueNZ4TQLlw+m/27JPA=

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

💬 Support request
Status

Closed: cannot reproduce

Version

3.2

Component

Documentation

Created by

🇮🇳India e3aa3b

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @e3aa3b
  • Comment over 1 year ago
    🇮🇳India e3aa3b
  • Comment over 1 year ago
    🇮🇳India e3aa3b
  • Comment over 1 year ago
    🇺🇸United States cmlara

    Is the s3fs access key and secret key both empty?

    Are you sure your environment variables are making it through ? PHP-FPM for example by default strips environment variables unless you configure it not to. Running a phpinfo() is a good idea to validate, I believe the Drupal phpinfo() page sanitizes environment variables so need to run as a custom php file.

    What did your credentials ini file look like and was it stored at the path configured and readable by the user that PHP is running under?

  • Comment over 1 year ago
    🇮🇳India e3aa3b

    Hi,

    We're looking out for configuration using "Option 1 (Use AWS defaultProvider)" as mentioned here: https://git.drupalcode.org/project/s3fs/-/blob/4.0.x/README.txt

    I believe that should work without specifying the access key and secret key. We're able to access s3 bucket using our configured IAM role (tested via AWS CLI). The intention is to be able to access s3 bucket using the IAM role (instead of credentials).

    Any pointers will be very helpful. Thanks!

  • Comment over 1 year ago
    🇺🇸United States cmlara

    @e3aa3b This is a community support method, please do not send direct messages through the contact form, instead please place the information in this issue both so that others can provide support and to retain the timeline of the issue. if you want a direct private connection we can discuss a professional services contract.

    I believe that should work without specifying the access key and secret key.

    Specifically you must NOT specify the access key and secret key, this is why I ask if they are set, either in settings.php or via the key module, if they are it would be expected for the Default Provider not to be called. This is one of the only limited items inside of the S3FS module that can impact operations, beyond that its generally outside of the S3FS module.

    Any pointers will be very helpful. Thanks!

    Please see #4 specifically:

    • What is the results of phpinfo() inside the webserver? Are the variables present? Note this needs to be run inside the server, not from the CLI or Drush as the results can be different.
    • What did your credentials ini file look like and was it stored at the path configured and readable by the user that PHP is running under? (This method should rule out environment variable issues)

    Adding onto the above since you provide a number of environment variables by email
    Was your AWS_WEB_IDENTITY_TOKEN_FILE readable by the user that PHP executes under? Its possible for this to be readable by the user running the AWS CLI and not for PHP, though I believe this should throw an exception I'm not sure this will percolate up or not inside a chained provider.

  • Comment over 1 year ago
    🇮🇳India e3aa3b

    Thanks for the comment @cmlara

    1. We're not specifying the access key and secret key anywhere

    2. when I do phpinfo(), I notice following AWS specific variables present:
    - AWS_DEFAULT_REGION
    - AWS_REGION
    - AWS_ROLE_ARN
    - AWS_ROLE_SESSION_NAME
    - AWS_WEB_IDENTITY_TOKEN_FILE

    These are matching with the values in the environment. Are we expecting more which maybe missing here..?

    3. Also the AWS_WEB_IDENTITY_TOKEN_FILE has full access across, so I believe should be readable by PHP.

    Thanks for your feedback so far! Pls let me know if some more debugging maybe possible to crack it.

  • Status changed to Postponed: needs info over 1 year ago
  • Comment over 1 year ago
    🇺🇸United States cmlara

    Apologies for the delay, I was not at my desk most of the past week.

    At this point I would suggest you review your AWS S3 bucket access logs to determine what ARN is accessing, that its the correct ARN, and that it has the appropriate access permissions.

    As long as the secret key and access key are both empty this is going to be unlikely to be an issue in s3fs.

  • Status changed to Closed: cannot reproduce over 1 year ago
  • Comment over 1 year ago
    🇺🇸United States cmlara

    As this issue has not received an update in over 2 weeks I am closing the issue out as cannot reproduce with the assumption that this was likely related to attempting to use a token that was not valid.

  • Comment 12 months ago
    🇺🇸United States grasmash

    It amazes me how unintuitive IAM is. In case this helps someone else, I had to define a policy for my user like this:

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"s3:PutObject",
				"s3:GetObjectAcl",
				"s3:GetObject",
				"s3:DeleteObjectVersion",
				"s3:DeleteObject",
				"s3:PutObjectAcl",
				"s3:GetObjectVersion"
			],
			"Resource": "arn:aws:s3:::[bucket-name]/*"
		},
		{
			"Sid": "VisualEditor1",
			"Effect": "Allow",
			"Action": [
				"s3:ListBucketVersions",
				"s3:ListBucket"
			],
			"Resource": "arn:aws:s3:::[bucket-name]"
		}
	]
}
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024