My wcms team is attempting to move our multisite environment from the AmazonS3 module to this S3FS module. However, during our transfer we came across an issue with the refresh-metadata button to build the database reference tables. Doing this action through the site's GUI or through drush will both create an access denied exception with AWS.
The principal reason this error is thrown is because we changed the suggested IAM user policy from:
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/*"
]
to,
"Resource": [
"arn:aws:s3:::<bucket_name>/site_name/*"
]
We also edited the root-folder setting to point to this site_name. Because we have multiple sites in the one bucket, we cannot allow an IAM user to have access to the entire thing for security implications. Through messing around with the module we have determined changing the _s3fs_refresh_cache method's mention of "ListObjectVersions" to ListObjects" will fix the problem but without extensive knowledge why.
Any pointers/offered solutions would be greatly appreciated! Thanks,
-Bryce
Comment | File | Size | Author |
---|---|---|---|
#2 | s3fsError.png | 31.07 KB | Bryce_Vonilten |
Comments
Comment #2
Bryce_Vonilten CreditAttribution: Bryce_Vonilten commentedComment #3
coredumperror CreditAttribution: coredumperror commentedHmmm, intriguing problem. I believe the reason that S3FS requires bucket-level permissions is for the
_s3fs_validate_config()
function (though I could be wrong. I wrote this code years ago). It could possibly be re-written to not require that by rooting itslistObjects()
call at S3FS'sroot_folder
config value, if that's set.I'm not sure why there would be any difference between
listObjects()
andlistObjectVersions()
in terms of permissions needed, but that's also something that could be configured to be done differently based on permissions (or, more accurately, a checkbox in the configuration form). If you know you don't need Version support, you could check this box to make it use the un-versioned list code.Unfortunately, I don't have time to work on my Drupal modules any more, so I won't be able to do the development to figure out if my theories here are correct. But if you do it yourself, I'l be happy to incorporate a patch into S3FS.