{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 你好瞎i 的问题《Elastic Beanstalk S3 permission on standard role:》','https://www.manongdao.com/q-1079763.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Trying to get an EB working with S3 bucket. Thought i'd followed all the instructions, but just cannot get uploaded pdf to display (currently "permission denied"). I had this working on heroku + S3 earlier so know it works in theory.
Setup
- Ruby EB, single instance. created with default app
- added the paperclip demo app
- app: paperclipdemo3 env: paperclipdemo3-dev
- instance profile (aws-elasticbeanstalk-ec2-role). standard service profile(aws-elasticbeanstalk-service-role)
- attached AmazonS3FullAccess to this rol
- S3 buckets created in same region
Error When viewing the uploaded file (pdf) gives AccessDeniedAccess Denied5CDDC975006C7C62h3ohBvPu8hXYIZkwLsgF/k0akNuLjyaOpbBzgsxmgtesQ/UJBlOH6phRrsr0tPowNFBFZ7LCI7M=
uploaded doc S3 path
as per generated html page
Tried
- fixed 'sorry something went wrong' which was endpoints / region config
- adding specific policy as suggested in docs customising bucket names etc., but decided when it didn't work to go simple:
- adding S3 fullaccess to the aws-elasticbeanstalk-ec2-role (which seems the 'simplest' as defined here: "SO S3 permissions".
- make the S3 bucket world readable (i.e. everyone) and it gives same access denied surely this should work!?
just cannot get it to work. bet its something obvious!?
hope someone else can spot quicker than I can, any thoughts appreciated
Ben
EDIT 1 - i've noticed that people talk of seeing logs in EB console, but all i can do is download the last 100 lines or full EC2 logs. none of my logs mention S3 errors (other than paperclip uploading the the file), there is no return code. I've also noticed my S3 bucket is not writing ANY logs (even though attached a separate logging bucket in same region)
Paperclip config
config.paperclip_defaults = {
:storage => :s3,
:s3_region => 'ap-southeast-2',
:s3_permissions => :private,
:s3_protocol => 'https',
:s3_host_name => 's3-ap-southeast-2.amazonaws.com',
:s3_endpoint => 's3-ap-southeast-2.amazonaws.com',
:s3_credentials => {
:bucket => ENV['AWS_BUCKET'],
:access_key_id => ENV['AWS_ACCESS_KEY_ID'],
:secret_access_key => ENV['AWS_SECRET_ACCESS_KEY'],
}
}
Roles
Policy for Role aws-elasticbeanstalk-ec2-role
EB configuration environment variablest
S3 example uploaded file permissions
I mixing S3 policy & ACLs. this config is the culpit
if its removed it goes public!
this has a good explanation of it: https://thewebfellas.com/blog/protecting-your-paperclip-downloads with the ACL's listed here: http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html