S3-Uploads icon indicating copy to clipboard operation
S3-Uploads copied to clipboard

Published 20 hours ago verified publisher icon humanmade

Private uploads signed URLs access denied

Open jtn413dev opened this issue 3 years ago • 2 comments

Hi all,

I'm getting access denied when I try to access a file using the signed URL

<Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>5...C6</RequestId> <HostId>Ht...M=</HostId> </Error>

I installed the plugin using the manual-install.zip and defined the constants:

  • define( 'S3_UPLOADS_BUCKET', 'my-bucket' );
  • define( 'S3_UPLOADS_REGION', '' );
  • define( 'S3_UPLOADS_USE_INSTANCE_PROFILE', true );
  • define('S3_UPLOADS_OBJECT_ACL', 'private');

and included the filter:

  • add_filter( 's3_uploads_is_attachment_private', '__return_true' );

Files upload to S3 correctly and the url returns with what looks like a signed response but errors when pasting it in the browser

The url looks like this (query parameters on new lines for readability):

s3url/filepath?X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&;amp; X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGcaCXVzLWVhc3Qt.......%3D%3D&amp; X-Amz-Algorithm=AWS4-HMAC-SHA256&amp; X-Amz-Credential=A...11203%2Fus-east-2%2Fs3%2Faws4_request&amp; X-Amz-Date=20211203T073957Z&amp; X-Amz-SignedHeaders=host&amp; X-Amz-Expires=21600&amp; X-Amz-Signature=ce...701c

If i run the aws cli command "aws s3 presign <s3url/filepath>" on the instance itself using the instance profile, the url returned from that opens the file in the browser correctly. The difference i noticed from the above are:

  • plugin url has the query parameter X-Amz-Content-Sha256=UNSIGNED-PAYLOAD
  • after X-Amz-Content-Sha256=UNSIGNED-PAYLOAD there is "&;amp;"
  • the rest of the parameters have "&" between them

I've tried removing "amp;" so that only "&" remains between the parameters and also removing the X-Amz-Content-Sha256=UNSIGNED-PAYLOAD but they start producing different errors such as:

<Error> <Code>SignatureDoesNotMatch</Code>,

<Error> <Code>AccessDenied</Code> <Message>No AWSAccessKey was presented.</Message>,

<Error> <Code>InvalidAccessKeyId</Code> <Message> The AWS Access Key Id you provided does not exist in our records. </Message>

jtn413dev avatar Dec 03 '21 08:12 jtn413dev

Same issue, did you ever solve it ?

enys avatar Feb 08 '24 10:02 enys

In my case, after an interesting debug session, I discovered that the bucket url used to sign and then return was different due to the endpoint setting.

enys avatar Feb 08 '24 14:02 enys

I solved in the same way @enys did. My URL in S3_UPLOADS_BUCKET_URL constant was incorrect, missing the bucket name in my case. After I've changed that, all have worked fine.

luizhsalazar avatar Apr 16 '24 22:04 luizhsalazar

Sounds like this might be the solution then; I'll close this out.

rmccue avatar Apr 19 '24 16:04 rmccue