Does not work with ap-southeast-2 region

[olsnacky]

I was consistently getting the error:

`Request for box's Amazon S3 region was denied.

This usually indicates that your user account is misconfigured. Ensure your IAM policy allows the "s3:GetBucketLocation" action for your bucket:

arn:aws:s3:::XXX`

Even though I was able to access get-bucket-location through the AWS CLI.

I had to edit the code in util.rb and change the DEFAULT_REGION to 'ap-southeast-2' to make the code work. I am not a native ruby speaker, so I wasn't able to work out why this fixed my issue.

[benesch]

Shoot! It seems to work okay for me: https://travis-ci.org/WhoopInc/vagrant-s3auth/jobs/78511695

Are you able to reproduce in any other regions?

[olsnacky]

Sorry for the late reply! I was expecting an email notification.

Hmm, this is my vagrantfile:

# -*- mode: ruby -*-
# vi: set ft=ruby :

ENV['AWS_ACCESS_KEY_ID'] = 'XXXX'
ENV['AWS_SECRET_ACCESS_KEY'] = 'XXXX'
ENV['AWS_DEFAULT_REGION'] = 'ap-southeast-2'

unless Vagrant.has_plugin?('vagrant-s3auth')
  system('vagrant plugin install vagrant-s3auth') || exit!

  exit system('vagrant', *ARGV)
end

Vagrant.configure('2') do |config|
  config.vm.box     = 'XXXX'
  config.vm.box_url = 'https://s3-ap-southeast-2.amazonaws.com/XXXXX'
  config.vm.provision "shell", path: "vagrant/provision.sh"
  config.vm.provision "shell", path: "vagrant/provision_postgres.sh"
  config.vm.boot_timeout = 300
end

Am I not setting the default region correctly?

[olsnacky]

I added the same file and bucket policy to a new bucket I createdin ap-southeast-1 (https://s3-ap-southeast-1.amazonaws.com/XXX). I received the same error.

[olsnacky]

I'm not quite sure what happens inside of the tests, but here are my thoughts on what is happening:

1. Util.s3_object_for is called
   • this calls s3_resource
     • this calls get_bucket_region
     • this calls s3_client with the default value for region, which is 'us-east-1'.
       • This is why my credentials are not working, as they only work when used within the context of the 'ap-southeast-1' region.

[benesch]

What do you mean when you say "they only work when used within the context of the 'ap-southeast-1' region?

In theory the GetBucketLocation request can be completed against US Standard for any bucket.

[olsnacky]

The credentials only work if the AWS_DEFAULT_REGION is set to 'ap-southeast-2'. Sorry, I wish I could explain it a bit better than that.

[olsnacky]

I have found a workaround to this issue. I created an IAM policy that I attached to the IAM user that was making the GetBucketLocation request. The policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1442183069000",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

[benesch]

Ah, yes—that is noted somewhere in the README. Though it sounds like parsing the region directly from the S3 URL except when the shorthand URL is used would have saved you this trouble.

[benesch]

Reread your initial filing and realized that the error message did in fact instruct you to allow the GetBucketLocation action in IAM. Closing because I'm not sure how make this clearer. :-/