wp-amazon-s3-and-cloudfront icon indicating copy to clipboard operation
wp-amazon-s3-and-cloudfront copied to clipboard
verified publisher icon deliciousbrains

Bug: use-bucket-acls remains true when object ownership is enforced and block all public access is enabled

Open chasemduffin opened this issue 6 months ago • 2 comments

Describe the bug

When setting up an existing S3 bucket as the storage provider with "Block All Public Access" enabled and "Object Ownership" enforced, and existing CloudFront distribution as the delivery provider, the following error is shown even though the CDN is functioning properly:

Delivery provider status cannot be determined. An error was encountered while attempting to offload a temporary file for Public delivery.

To Reproduce Steps to reproduce the behavior:

  1. Create an S3 bucket with Block All Public Access enabled and object owner enforced and associated bucket policy permitting CloudFront OAI
  2. Create a CloudFront distribution with Origin Access Identity pointing to the bucket
  3. Configure the plugin storage and distribution settings as described in the diagnostic info and screenshots attached

Expected behavior

Delivery provider is successfully connected and serving offloaded media.

Screenshots If applicable, add screenshots to help explain your problem.

Image Image

debug.log I enabled debug logging, but actually this error was not logged there. In fact, none of the plugin output was available. Perhaps this is its own bug.

Diagnostic Info (from plugin's "Support" tab):

Partially redacted, attached.

test.solairia.com-diagnostic-log-20251015191659.txt

Additional context I actually found a resolution to this. If you add the legacy option

define( 'AS3CF_SETTINGS', serialize( array(
    'use-bucket-acls' => false,
) ) );

to wp-config.php, it then works. I only discovered this after inspecting my associated database with

get_site_option("as3cf_settings")

which returned

{
    "bucket": "REDACTED",
    "delivery-domain": "cdn.test.REDACTED.com",
    "delivery-provider": "aws",
    "enable-delivery-domain": true,
    "force-https": true,
    "object-prefix": "REDACTED/wp-content/uploads/",
    "region": "us-east-1",
    "use-bucket-acls": true,
    "use-server-roles": true,
    ...
}

as you can see here, "use-bucket-acls" remained true in the database, even after setting up the S3 bucket with "Block All Public Access" enabled and "Object Ownership" enforced. This is the heart of the bug IMO. Your documentation suggests in several places that this should not be the case. Perhaps this is the only the case when you bring your own bucket and CloudFront distribution, but nonetheless.

chasemduffin avatar Oct 15 '25 19:10 chasemduffin

Hey @chasemduffin, that's an interesting one.

If you comment out the entire AS3CF_SETTINGS define, refresh WP Offload Media's settings page, click the "Edit" button at the top of the Storage Settings panel, and then just click each of the "Save & Continue" buttons to progress all the way through the steps without changing anything, do you get the same problem again?

ianmjones avatar Oct 16 '25 08:10 ianmjones

@ianmjones no, it seems that value is now persistent in the database. After following your instructions the status is still reported as

Delivery provider is successfully connected and serving offloaded media.

and inspecting the database shows the value remains false:

root@REDACTED:/var/www/html# cat <<'EOF' | php
<?php
define('WP_USE_THEMES', false);
require('/var/www/html/wp-load.php');
global $wpdb;
$value = $wpdb->get_var("SELECT option_value FROM {$wpdb->options} WHERE option_name = 'as3cf_settings'");
$settings = maybe_unserialize($value);
echo json_encode($settings, JSON_PRETTY_PRINT) . PHP_EOL;
?>
EOF
{
    "use-bucket-acls": false
}

chasemduffin avatar Oct 16 '25 13:10 chasemduffin