Contrib.social

S3 Bucket ACLs Enabled or Disabled (recommended)?

Open on Drupal.org β†’
Created on 6 July 2023, about 1 year ago
Updated 2 September 2024, 26 days ago

I have a website with existing pdf files in a file field that I plan to migrate to S3 due to their large file size and the cost of storage on my hosting platform.

When creating the bucket in S3, I am faced with two options:
ACLs Enabled

and
ACLs Disabled (recommended)

I tried ACLs disabled as recommended by Amazon with the following settings.php config:

<?php
// Amazon S3 configuration.
$settings['s3fs.access_key'] = 'REDACTED';
$settings['s3fs.secret_key'] = 'REDACTED';
$config['s3fs.settings']['bucket'] = 'bucket_name';
$config['s3fs.settings']['region'] = 'us-east-1';
$settings['s3fs.upload_as_private'] = TRUE;
?>

This option does not seems to work well with the instructions given in the README, and I am not able to view the files from the website.

Getting the error below when I access the file URLS:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>R8N71E98YW3K3NKV</RequestId>
<HostId>
H8FG1fwUhY4DgiKJIOw2G6VE6WZtZH0nRHbLEhlVq2DNbNUpZrHx75DklqszrQD7Wt5gQFd+w6Y=
</HostId>
</Error>

The question is, which is the Drupal s3fs recommendation? Is it the same as what AWS recommends?

πŸ’¬ Support request
Status

Fixed

Version

3.1

Component

Miscellaneous

Created by

πŸ‡ΉπŸ‡ΉTrinidad and Tobago frazras

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @frazras
  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    From the README file:

      * If your S3 bucket is configured with BlockPublicAcls then enable the
    'upload_as_private' setting.

    Example:
      $settings['s3fs.upload_as_private'] = TRUE;

    * If s3fs will provide storage for s3:// or public:// files the generated
      links will return 403 errors unless access is granted either with
      presigned urls or through other external means.

    From an S3fs standpoint either is acceptable and is not really an s3fs question but a question of what your policies are around data security for the appropriate choice.

    The key information is when you choose "$settings['s3fs.upload_as_private'] = TRUE; (which is correct for Bucket ACL's disabled) is that it becomes the responsibility of the bucket owner (yourself) to either create a bucket policy that grants access to the appropriate S3 paths to make them public at the bucket level, to use pre-signing inside the s3fs module (though their are Drupal Cache issues to be aware of with this), or use other external means that allows access to the objects.

  • Status changed to Fixed about 1 month ago
  • Comment about 1 month ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Considering this issue resolved as no additional questions were raised after providing feedback.

  • Comment 26 days ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024