S3-Uploads
S3-Uploads copied to clipboard
humanmade
wp s3-uploads verify False Positive
Plugin 'S3-Uploads' activated.
Success: Activated 1 of 1 plugins.
bash-4.2$ wp s3-uploads verify
Attempting to upload file s3://assets.***.com/uploads/1987710637.jpg
PHP Warning: Error executing "PutObject" on "https://s3.us-east-2.amazonaws.com/assets.***.com/uploads/1987710637.jpg"; AWS HTTP error: Client error: `PUT https://s3.us-east-2.amazonaws.com/assets.**.com/uploads/1987710637.jpg` resulted in a `403 Forbidden` response:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>B7C133 (truncated...)
AccessDenied (client): Access Denied - <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>B7C133F0810E4394</RequestId><HostId>E20UHUxCBFVceEVKUB23xehxfOYcWf/wvaXuvBLWGMxFrOWtImJBp/VMFMnxh6H/jD572tbQ8OE=</HostId></Error> in /var/www/lpm.**.io/wp-content/plugins/S3-Uploads/inc/class-s3-uploads-stream-wrapper.php on line 835
Warning: Error executing "PutObject" on "https://s3.us-east-2.amazonaws.com/assets.**.com/uploads/1987710637.jpg"; AWS HTTP error: Client error: `PUT https://s3.us-east-2.amazonaws.com/assets.***.com/uploads/1987710637.jpg` resulted in a `403 Forbidden` response:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>B7C133 (truncated...)
AccessDenied (client): Access Denied - <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>B7C133F0810E4394</RequestId><HostId>E20UHUxCBFVceEVKUB23xehxfOYcWf/wvaXuvBLWGMxFrOWtImJBp/VMFMnxh6H/jD572tbQ8OE=</HostId></Error> in /var/www/lpm.**.io/wp-content/plugins/S3-Uploads/inc/class-s3-uploads-stream-wrapper.php on line 835
File uploaded to S3 successfully.
Attempting to delete file. s3://assets.**.com/uploads/1987710637.jpg
File deleted from S3 successfully.
Success: Looks like your configuration is correct.
bash-4.2$ ```
@mattpramschufer did you ever find a solution for this? I'm getting this same thing.
No I did not, I actually stopped using this plugin and switched to MediaCloud https://wordpress.org/plugins/ilab-media-tools/
It works fantastic, support is 100%, even has a migration tool to migrate from this plugin. Would 110% recommend.
Thanks for the recommendation. I'll probably just end up manually uploading my images to S3, we'll see though. For others that come upon this, note also that I am getting the same error even when I use AWS admin credentials.
Ok, I had this exact issue and did some code debugging. It ended up being a ACL issue on the S3 bucket. The stream was failing to upload, not because the user (or admin) didn't have permissions, but because the ACL was setting to public-read and I had accidentally set the bucket to never allow public-read.
Once I realized this, I was able to resolve by adjusting the public settings to the following: image
I can confirm this seems to be the issue. The bucket should NOT have "block public access" permissions set. Once this is set, it fixes the verbose output.
The bucket should NOT have "block public access" permissions set
This is poor security practice. Instead, set define( 'S3_UPLOADS_OBJECT_ACL', 'private' ); in wp-config.php.
Doing so does mean you also intended to close off public S3 access, and probably being front-ended by CloudFront.
The original false positive on "verify" is still a bug though, since a failed operation should not result in "success".
The bucket should NOT have "block public access" permissions set
This is poor security practice. Instead, set
define( 'S3_UPLOADS_OBJECT_ACL', 'private' );in wp-config.php.
AFAIK, that depends on the purpose of your S3 bucket, it's not a security issue per se.
However, I agree with following the least privilege principle and having the option to tell the ACL is a better way to configure it. In my case, all my S3 buckets are private by default and are proxied by Cloudfront, which is a great way to speed up delivery and save some bandwidth (and money).
So, my suggestion is to follow @whyrg comment. Proxy your S3 bucket using Cloudfront or any other CDN provider (you'll need to generate the right bucket policy), make it private by default and use define( 'S3_UPLOADS_OBJECT_ACL', 'private' ); in wp-config.php.