ghost-on-heroku icon indicating copy to clipboard operation
ghost-on-heroku copied to clipboard

Published 20 hours ago verified publisher icon cobyism

Access denied on image upload

Open simon-asp opened this issue 5 years ago • 8 comments

Hey! I read all the old issues on the AWS issues, but I can't get it to work.

  • I have double checked all config vars in heroku.
  • Created a new IAM user in AWS and gave it this policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt13242300",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

I used us-east-1 as mentioned here.

What could be wrong?

simon-asp avatar Jan 29 '19 11:01 simon-asp

@simon-asp I ran into the same issue. I was able to fix this by editing my public access list controls for the bucket in AWS.

Manage public access control lists (ACLs) Block new public ACLs and uploading public objects (Recommended): False Remove public access granted through public ACLs (Recommended): False

I have to admit, I'm not entirely sure what the security vulnerabilities this creates. If you have any info on this I'd love to hear about it.

topherolson avatar Jan 31 '19 00:01 topherolson

@topherolson Thanks! that didn't work for me.

Can you show me what you did otherwise?

simon-asp avatar Jan 31 '19 12:01 simon-asp

I did the standard install. So I would just make sure your Config Vars in Heroku are set properly, i.e. proper naming convention for your Bucket region.

topherolson avatar Jan 31 '19 14:01 topherolson

I'm running into this same issue. @simon-asp were you able to resolve? I have checked my credentials using the aws cli tool and I'm able to upload from there.

calebl avatar Nov 16 '19 19:11 calebl

I ran into the Access Denied issue, and later a different issue where the image would successfully i upload but then couldn’t be displayed correctly. Eventually I was able to get the uploads working, though only by unsetting S3_ASSET_HOST_URL.

Have you checked whether you can create publicly readable assets from the CLI?

paulmelnikow avatar Nov 16 '19 20:11 paulmelnikow

Followed all of the above and can upload a resource via the CLI with the keys I provided—not sure why this isn't working and would appreciate any help!

cacabo avatar Jun 17 '20 04:06 cacabo

Ah actually updating the bucket policy per this repo seems to have done the trick!

cacabo avatar Jun 17 '20 04:06 cacabo

I had this "Access denied" issue too after blocking public access to my S3 bucket (I use Cloudfront to access images) - realized that the S3 adapter this project uses defaults to a public ACL when adding new images, so specifying a private ACL resolved this issue for me.

wsun avatar Feb 18 '21 10:02 wsun