2

I'm getting the following error:

error   S3_STORE_ACCESS_DENIED
http_code   403
step    export
previousStep    :original
worker  novate.transloadit.com
message S3 did not accept the key / secret pair you provided.

If I put in an invalid API key, I'm getting a different error so I presume the error message is a false distraction. I've tested the API key & secret manually and they work so I know it's not my credentals.

The Transloadit docs say the following:

Warning: Please note that the acl parameter's default value is "public". AWS S3 recently introduced a bucket setting called "Block new public ACLs and uploading public objects (Recommended)". You need to set this to False in your bucket if you intend to leave the Robot's acl parameter to "public", otherwise you'll keep getting permission errors returned in your Assemblies even though your S3 credentials are configured correctly.

I tried the following, and it's not working (I'm getting the same 403 S3_STORE_ACCESS_DENIED again):

image showing Block all public access & Block public access to buckets and objects granted through new access control lists options both unchecked for an Amazon S3 bucket

How do I correctly configure my S3 bucket for file exports by the Transloadit /s3/store robot?

Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44
Martin Spa
  • 1,494
  • 1
  • 24
  • 44
  • If you only want to export files to S3 via Transloadit, I would suggest setting the `acl` parameter when configuring `/s3/store/ to `private`; this is the most secure option and should fix your issue while also allowing you to also block all public access. If not, try unchecking the 3rd checkbox from the top there in your 2nd screenshot and that should also fix the issue. Can you please try both options? – Ermiya Eskandary Dec 16 '22 at 00:47
  • @ErmiyaEskandary correct! adding `"acl": "private"` fixed my issue. Can you put it as an answer so that you receive the bounty? – Martin Spa Dec 16 '22 at 13:38
  • Okay, so I tested both scenarios: with acl and all checkboxes ticked (so all public access blocked), and it worked. Then I tested with 1 and 3rd checkbox unticked, and acl parameter removed, and I got the same error S3_STORE_ACCESS_DENIED. So the acl parameter was the missing bit :) – Martin Spa Dec 16 '22 at 14:16
  • 1st, 2nd and 3rd unchecked? – Ermiya Eskandary Dec 16 '22 at 14:19
  • 1
    Tried with 1st and 3rd then. – Martin Spa Dec 16 '22 at 15:19

1 Answers1

4

TLDR: set the acl parameter for Transloadit to private.

If you only want to export files to S3 via Transloadit, the most secure option would just be to grant the IAM user access to write to the bucket. Unless you want per-object access control, ACLs aren't really used anymore in modern AWS and they're a legacy feature though not deprecated (yet). The IAM user having access would be enough.

The reason you see the error you do, is that Transloadit is attempting to specify the public-read canned ACL in its request by default. This would effectively correspond to granting everyone (the All Users group) the READ ACL permission.

It is essentially telling AWS that 'I don't want to just use IAM on its own, I want to use IAM and ACLs'.

This forces you to either:

  1. relax your ACL to allow it to make every object you're uploading to S3 accessible to the entire world;

  2. tell Transloadit to adhere to the default AWS ACL policy (private canned ACL) & not expose your files to the entire world; you can do this by setting the acl parameter to private.

Amazon S3 buckets and objects have always been private by default in line with AWS's security best practices. Any attempt to make the bucket or objects within public, must be done manually.

For option one (not recommended), in addition to the Block all public access & Block public access to buckets and objects granted through new access control lists (ACLs) options, ensure you've also unchecked the Block public access to buckets and objects granted through any access control lists (ACLs) option. This is currently checked in your current configuration. Unchecking all three would allow Transloadit to specify its default public-read ACL value to S3 for any object for the relative ACL permissions to be added to the ACL of the object.

For option two (highly recommended in line with the least-privilege AWS security best practice), set the acl parameter when setting up /s3/store to private. The private canned ACL means that by default, you (the bucket owner) get FULL_CONTROL and nobody else has any access rights. This basically brings Transloadit in line with AWS's default and is the safest option.

Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44