80

I have the following access policy set on an IAM user in my AWS account. The policy references the bucket name which is "xo-staging".

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AccessToGetBucketLocation",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AccessToWebsiteBuckets",
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketWebsite",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::xo-staging",
                "arn:aws:s3:::xo-staging/*"
            ]
        },
        {
            "Sid": "AccessToCloudfront",
            "Effect": "Allow",
            "Action": [
                "cloudfront:GetInvalidation",
                "cloudfront:CreateInvalidation"
            ],
            "Resource": "*"
        }
    ]
}

I'm deploying a Gatsby application from my local machine to Github where I am using Github Actions to run a build and deploy script.

In my package.json file I have set "deploy" to the value of gatsby-plugin-s3 deploy --yes; export AWS_PAGER=\"\"; aws cloudfront create-invalidation --distribution-id E5FDMTLPHUTLTL --paths '/*'; in my workflows.yml file I have set "deploy" to npm run deploy.

In Github my build succeeds but my deploy fails. The error I get tells me "AccessControlListNotSupported: The bucket does not allow ACLs".

I've checked the actual bucket permissions in AWS and tried selecting different options, but always the same error message returns. In other words, I have tried removing all blocks on public access and ACLs but still the problem persists.

Please can someone suggest what I might need to change to get this full deploy working?

Adarsh Madrecha
  • 6,364
  • 11
  • 69
  • 117
Æthelstan
  • 883
  • 1
  • 5
  • 12

2 Answers2

150

Adding Screenshots to the answer provided by @rudieros

  1. Go to Bucket > Permissions Tab AWS Bucket Config

  2. Scroll to Object Ownership and click on Edit. enter image description here

  3. Change the settings as below. Edit S3 Ownership ACL

Adarsh Madrecha
  • 6,364
  • 11
  • 69
  • 117
  • 4
    Was an update https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-s3-object-ownership-simplify-access-management-data-s3/ – Elinaldo Monteiro Jan 16 '22 at 02:20
  • 4
    ACLs disabled has this description: _All objects in this bucket are owned by this account. Access to this bucket and its objects is specified using only policies._ Does this imply that there is a policy based way to achieve the same outcome? – Gibron Feb 27 '22 at 17:00
  • 4
    Is there an option to let an S3 client (e.g. the Amazon PHP SDK one) not call any ACL related code? And to thereby not having to modify the bucket policy? – Rvanlaak Apr 14 '22 at 14:07
46

Go to your bucket, into the Permissions tab, find Object Ownership and click Edit. Select ACLs enabled and read carefully AWS warnings about potential security risks

rudieros
  • 461
  • 3
  • 3