Couldn't get S3 adaptor to work
Hi, due to the security considerations of using access key and secret, I have created a "special user" with no powers beyond that over the designated S3 bucket (s3: ).
However, I couldn't even get the initial console's uploading of a single small file to work - just stayed stuck at "UPLOADING FILES (1)".
Initially, I thought it was due to SSL but even after forcing the browser to accept the self-signed cert, the problem remains.
I looked around the logs of the containers and found that there is an "access denied" error (see screenshot) around line 808 of /usr/src/code/vendor/utopia-php/Storage/Device/S3.php
What kind of rights (policy) should I have applied on the S3 bucket? I thought s3: on that bucket would solve all problems but I guess it didn't.
Would appreciate any pointers you can give.
You should use a key and secret
There should not be any problems regarding security unless Appwrite has some exploit or security issue (currently not known any issue regarding buckets connection with adapters)
I am using a working access key and secret. Am wondering why I am seeing that AccessDenied error unless it’s some “action” that I have to explicitly allow in a policy
No “problem” with security - just that I created a user with full rights to the bucket and then use that user’s access key and secret in the .env
usually, the problem is some misconfigured env var
I am 100% sure it's a rights issue because when I replaced that "restricted" user with another user that has "power user" rights in the AWS account, the upload went through. I don't have time to check the AWS logs for now but I will. Hopefully someone can enlighten me in the meantime. The screenshot I attached is for the "restricted" user but I gave this user all the appropriate rights for the S3 bucket that I can think of.
Do you have a /* for that bucket?
I don't quite understand that question... how would that affect the access control? I have a user A (policy as shown) who has full rights to the S3 bucket and then I have user B with no explicit policy imposed - B is just a "Power User" (as defined in AWS pre-canned set of policies). I put in B's access key and secret => no problem, I put in A's and I got hit with AccessDenied. Why?
I mean - you guys can try this out - just create a vanilla user via IAM, apply this inline policy and generate the access key and secret from it and put it into .env and see if you get the same problem.
The resource on line 10. It's redacted so I can't tell what you have at the end after the bucket name
The resource points to a specific bucket, there is nothing after the specific ID for the bucket
perhaps you should try adding /* or maybe another statement that grants to /*?
That's the point... if Appwrite only needs permission to that 1 particular bucket, what other rights do I need to grant besides given full rights to that 1 single bucket? I have added "ListAllMyBuckets" and "GetBucketLocation" but what else? Note that I have given FULL rights to that 1 bucket that Appwrite is using. It's all a matter of ensuring I'm not giving it more rights that needed e.g. why should I grant it full rights to ALL buckets in the account?
Did you try what I suggested?
I got it working by giving it "Power User" which gives the user the ability to spin up EC2s, setup VPCs etc. but that's "too much" for a user that's only supposed to be using that 1 single bucket
I don't know much about AWS policies but what I saw was you need the /* to apply the policy to everything in the bucket.
I will try it tomorrow - thanks!
