EvolutionAPI
AWS S3 - User Policies and Bucket Permissions
Welcome!
- [X] Yes, I have searched for similar issues on GitHub and found none.
What did you do?
I was trying to configure an AWS S3 Bucket and encountered some difficulties.
What did you expect?
Bucket created without exceptions.
What did you observe instead of what you expected?
I first suspected that it was a misconfiguration of the environment variables, but after investigating further I understood that it was the AWS IAM user policies that I used to generate the S3 credentials.
Since I couldn't find any instructions on this in the documentation, I looked at the MINIO Client actions in the source code until I found a policy that best suited my needs.
Although the policies were correct, I found two possible exceptions within the code that:
- prevented the bucket from being created correctly (since the AWS REGION was not defined);
- in the
createBucketfunction inminio.server.tsfile, you need to define the region, in addition to the bucket name, so:await minioClient.makeBucket(bucketName, BUCKET.REGION)
- in the
- and the bucket policy from being assigned (since the bucket must be public to receive the ACLs):
- Once the bucket is created, in order to assign policies, the bucket must be in public mode.
- I haven't figured out how to do this with the MINIO client (you might find something about it by searching for AWS::S3::Bucket PublicAccessBlockConfiguration), but in the AWS console you can adjust the bucket permissions (see screenshots below)
Screenshots/Videos
Which version of the API are you using?
v2.0.10
What is your environment?
Docker
Other environment specifications
No response
If applicable, paste the log output
[Evolution API] v2.0.10 158 - Thu Aug 22 2024 20:22:25 ERROR [S3 Service] [string] S3 ERROR:
[Evolution API] v2.0.10 158 - Thu Aug 22 2024 20:22:25 ERROR [S3 Service] [object]
S3Error: The unspecified location constraint is incompatible for the region specific endpoint this request was sent to.
at parseError (/evolution/node_modules/minio/dist/main/internal/xml-parser.js:51:13)
at Object.parseResponseError (/evolution/node_modules/minio/dist/main/internal/xml-parser.js:98:11)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Client.makeRequestStreamAsync (/evolution/node_modules/minio/dist/main/internal/client.js:513:19)
at async Client.makeRequestAsyncOmit (/evolution/node_modules/minio/dist/main/internal/client.js:444:17)
at async Client.makeBucket (/evolution/node_modules/minio/dist/main/internal/client.js:703:7)
at async Fc (/evolution/dist/main.js:76:2868) {
code: 'IllegalLocationConstraintException',
requestid: 'VV69HPK6X7SD62XN',
hostid: 'wINpmZwFWjhrU0BeUFstTCuvE9tdauTbu6rCm0wk0Cpj4eqD1cJOp1dHC2UWNxbrLEz6k4UkNLE=',
amzRequestid: 'VV69HPK6X7SD62XN',
amzId2: 'wINpmZwFWjhrU0BeUFstTCuvE9tdauTbu6rCm0wk0Cpj4eqD1cJOp1dHC2UWNxbrLEz6k4UkNLE=',
amzBucketRegion: undefined
}
Additional Notes
For reference, these are the permissions it grants to the user who owns the S3 access credentials:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
],
"Resource": "arn:aws:s3:::<BUCKET_NAME>"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
],
"Resource": "arn:aws:s3:::*"
}
]
}
see the changelog of evolution, they have add the region in environment variables of s3
Oh, nice! But I think it's still worth a disclaimer about AWS policies and permissions. Thanks for the heads up, @dpaes.