Skip to content

Commit

Permalink
Update aws-s3.md wrt S3 public access settings
Browse files Browse the repository at this point in the history 
In my case, following the Uppy S3 documentation related to CORS by the letter still resulted in 403 responses with `AccessDenied` from my bucket's HTTP endpoint when my browser tried to upload a file.

It seems like S3 introduced an additional layer of security which generally overrides any public access settings in other places to protect inexperienced S3 users from accidentially making content in their S3 buckets public - at least this is my interpretation.

Therefore I extended the docs to inform Uppy users about the additional measures they potentially need to take.
  • Loading branch information
@manuelkiessling
manuelkiessling authored Jan 10, 2019
1 parent 0d232a1 commit b03613d
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion website/src/docs/aws-s3.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ strings: {
## S3 Bucket configuration

S3 buckets do not allow public uploads by default.
In order to allow Uppy to upload directly to a bucket, its CORS permissions need to be configured.
In order to allow Uppy to upload directly to a bucket, at least its CORS permissions need to be configured, and you potentially need to change some of the *Public access settings* that provide an extra layer of public access protection even if the correct CORS permissions are in place.

CORS permissions can be found in the [S3 Management Console](https://console.aws.amazon.com/s3/home).
Click the bucket that will receive the uploads, then go into the "Permissions" tab and select the "CORS configuration" button.
Expand Down Expand Up @@ -182,6 +182,10 @@ The final configuration should look something like this:
</CORSConfiguration>
```

Even with these CORS rules in place, you browser might still encounter HTTP status 403 responses with `AccessDenied` in the response body when it tries to `POST` to your bucket. In this case, within the "Permissions" tab of the [S3 Management Console](https://console.aws.amazon.com/s3/home), choose "Public access settings".

It will list general *Public access settings for this bucket*, which can override the rules imposed by your CORS settings. Click on *edit* to manage these settings. Under *Manage public access control lists (ACLs) for this bucket*, make sure that *Block new public ACLs and uploading public objects (Recommended)* is unchecked, and *Save* these settings.

In-depth documentation about CORS rules is available on the [AWS documentation site](https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html).

## POST uploads
Expand Down

1 comment on commit b03613d

@SleeplessByte
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This documentation change is incorrect. There is no second layer of security, and turning off the "block" will make "it work" because you're literally saying to remove access control. This has been in the docs for three years, and apparently people are following this advice, but it's not necessary (and incorrect).

Further git blame shows that the author had not set up CORS correctly in the first place: de9effd.

For future reference, please don't write instructions that are unverified, based on a hunch, as if they're facts.

Please sign in to comment.