Elastic Beanstalk S3 permission on standard role:

2019-09-03 20:56发布

问题:

Trying to get an EB working with S3 bucket. Thought i'd followed all the instructions, but just cannot get uploaded pdf to display (currently "permission denied"). I had this working on heroku + S3 earlier so know it works in theory.

Setup

  • Ruby EB, single instance. created with default app
  • added the paperclip demo app
  • app: paperclipdemo3 env: paperclipdemo3-dev
  • instance profile (aws-elasticbeanstalk-ec2-role). standard service profile(aws-elasticbeanstalk-service-role)
  • attached AmazonS3FullAccess to this rol
  • S3 buckets created in same region

Error When viewing the uploaded file (pdf) gives AccessDeniedAccess Denied5CDDC975006C7C62h3ohBvPu8hXYIZkwLsgF/k0akNuLjyaOpbBzgsxmgtesQ/UJBlOH6phRrsr0tPowNFBFZ7LCI7M=

uploaded doc S3 path

as per generated html page

https://s3-ap-southeast-2.amazonaws.com/paperclipdemo3bucket1/var/app/current/public/pdf/1/original/testupload_2page_doc1.pdf?1458545227

Tried

  • fixed 'sorry something went wrong' which was endpoints / region config
  • adding specific policy as suggested in docs customising bucket names etc., but decided when it didn't work to go simple:
  • adding S3 fullaccess to the aws-elasticbeanstalk-ec2-role (which seems the 'simplest' as defined here: "SO S3 permissions".
  • make the S3 bucket world readable (i.e. everyone) and it gives same access denied surely this should work!?

just cannot get it to work. bet its something obvious!?

hope someone else can spot quicker than I can, any thoughts appreciated

Ben

EDIT 1 - i've noticed that people talk of seeing logs in EB console, but all i can do is download the last 100 lines or full EC2 logs. none of my logs mention S3 errors (other than paperclip uploading the the file), there is no return code. I've also noticed my S3 bucket is not writing ANY logs (even though attached a separate logging bucket in same region)

Paperclip config

 config.paperclip_defaults = {
      :storage => :s3,
      :s3_region => 'ap-southeast-2',
      :s3_permissions => :private,
      :s3_protocol => 'https',
      :s3_host_name => 's3-ap-southeast-2.amazonaws.com',
      :s3_endpoint => 's3-ap-southeast-2.amazonaws.com',
      :s3_credentials => {
        :bucket => ENV['AWS_BUCKET'],
        :access_key_id => ENV['AWS_ACCESS_KEY_ID'],
        :secret_access_key => ENV['AWS_SECRET_ACCESS_KEY'],
      }
    }

Roles

Policy for Role aws-elasticbeanstalk-ec2-role

EB configuration environment variablest

S3 example uploaded file permissions

回答1:

I mixing S3 policy & ACLs. this config is the culpit

  :s3_permissions => :private,

if its removed it goes public!

this has a good explanation of it: https://thewebfellas.com/blog/protecting-your-paperclip-downloads with the ACL's listed here: http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html