My wcms team is attempting to move our multisite environment from the AmazonS3 module to this S3FS module. However, during our transfer we came across an issue with the refresh-metadata button to build the database reference tables. Doing this action through the site's GUI or through drush will both create an access denied exception with AWS.

The principal reason this error is thrown is because we changed the suggested IAM user policy from:

"Resource": [
                "arn:aws:s3:::<bucket_name>",
                "arn:aws:s3:::<bucket_name>/*"
            ]

to, 

"Resource": [
                "arn:aws:s3:::<bucket_name>/site_name/*"
            ]

We also edited the root-folder setting to point to this site_name. Because we have multiple sites in the one bucket, we cannot allow an IAM user to have access to the entire thing for security implications. Through messing around with the module we have determined changing the _s3fs_refresh_cache method's mention of "ListObjectVersions" to ListObjects" will fix the problem but without extensive knowledge why.

Any pointers/offered solutions would be greatly appreciated! Thanks,

-Bryce

CommentFileSizeAuthor
#2 s3fsError.png31.07 KBBryce_Vonilten
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Bryce_Vonilten created an issue. See original summary.

Bryce_Vonilten’s picture

Bryce_Vonilten CreditAttribution: Bryce_Vonilten commented
Issue summary: View changes
Issue tags: -fold level +folder level
FileSize
s3fsError.png31.07 KB
coredumperror’s picture

coredumperror CreditAttribution: coredumperror commented

Hmmm, intriguing problem. I believe the reason that S3FS requires bucket-level permissions is for the _s3fs_validate_config() function (though I could be wrong. I wrote this code years ago). It could possibly be re-written to not require that by rooting its listObjects() call at S3FS's root_folder config value, if that's set.

I'm not sure why there would be any difference between listObjects() and listObjectVersions() in terms of permissions needed, but that's also something that could be configured to be done differently based on permissions (or, more accurately, a checkbox in the configuration form). If you know you don't need Version support, you could check this box to make it use the un-versioned list code.

Unfortunately, I don't have time to work on my Drupal modules any more, so I won't be able to do the development to figure out if my theories here are correct. But if you do it yourself, I'l be happy to incorporate a patch into S3FS.