I'm getting the following error:
error S3_STORE_ACCESS_DENIED
http_code 403
step export
previousStep :original
worker novate.transloadit.com
message S3 did not accept the key / secret pair you provided.
If I put in an invalid API key, I'm getting a different error so I presume the error message is a false distraction. I've tested the API key & secret manually and they work so I know it's not my credentals.
How do I correctly configure my S3 bucket for file exports by the Transloadit /s3/store robot?
CodePudding user response:
TLDR: set the acl
parameter for Transloadit to private
.
If you only want to export files to S3 via Transloadit, the most secure option would just be to grant the IAM user access to write to the bucket. Unless you want per-object access control, ACLs aren't really used anymore in modern AWS and they're a legacy feature though not deprecated (yet). The IAM user having access would be enough.
The reason you see the error you do, is that Transloadit is attempting to specify the public-read
canned ACL in its request by default. This would effectively correspond to granting everyone (the All Users group) the READ
ACL permission.
It is essentially telling AWS that 'I don't want to just use IAM on its own, I want to use IAM and ACLs'.
This forces you to either:
relax your ACL to allow it to make every object you're uploading to S3 accessible to the entire world;
tell Transloadit to adhere to the default AWS ACL policy (
private
canned ACL) & not expose your files to the entire world; you can do this by setting theacl
parameter toprivate
.
Amazon S3 buckets and objects have always been private by default in line with AWS's security best practices. Any attempt to make the bucket or objects within public, must be done manually.
For option one (not recommended), in addition to the Block all public access & Block public access to buckets and objects granted through new access control lists (ACLs) options, ensure you've also unchecked the Block public access to buckets and objects granted through any access control lists (ACLs) option. This is currently checked in your current configuration. Unchecking all three would allow Transloadit to specify its default public-read
ACL value to S3 for any object for the relative ACL permissions to be added to the ACL of the object.
For option two (highly recommended in line with the least-privilege AWS security best practice), set the acl
parameter when setting up /s3/store
to private
. The private
canned ACL means that by default, you (the bucket owner) get FULL_CONTROL
and nobody else has any access rights. This basically brings Transloadit in line with AWS's default and is the safest option.