Closed lantrix closed 7 years ago
I can't easily see a way using the SDK to generate the website endpoint; and apparently you can't https://github.com/aws/aws-sdk-ruby/issues/915#issuecomment-136775467
So using a website endpoint requires that your objects be publicly available, which rather defeats the purpose of this plugin, which is to support private, versioned boxes. So if you want to go that route, you don't need vagrant-s3auth at all. Does using the website URL http://mybucket.s3-website-ap-southeast-2.amazonaws.com/myfolder/
directly work if you uninstall vagrant-s3auth
? If so, that's a definite bug. It seems our S3 URL matching is too aggressive and picks up the website URL. But the point is you don't need this plugin!
If you do want private boxes, you'll need to point directly to the metadata JSON. As you've discovered, that approach does work. If you don't like the ugliness of specifying s3://bucket/folder/metadata.json
, make your metadata JSON a file without an extension, like s3://bucket/folder/box
. If you go this route, see the caveat in the README about ensuring this file is served with Content-Type: application/json
.
Thanks for the response @benesch.
It doesn't work without the plugin as it is 403 forbidden as expected. Due to the fact that I haven't enabled public access on the S3 bucket; but instead was hoping to get access with signed requests from IAM users.
I've just realised my incorrect assumption of using IAM and the Website endpoint:
In order for your customers to access content at the website endpoint, you must make all your content publicly readable.
I do want private boxes, and I have pointed to the metadata directly. The ugliness is OK, and I see this is not an issue at all.
Cheers.
No problem. Enjoy!
Background
I'm using an S3 hosted private box & Metadata file. The S3 bucket is configured for static website hosting with the index document set to
metadata.json
.I then have the following objects/keys in place
mybucket/myfolder/metadata.json
mybucket/myfolder/boxes/mybox_0.1.0.box
The metadata points to the box as shown:
I can try to add the box via the s3 or http protocols and it fails using the s3 endpoint generated by the vagrant-s3auth plugin; or using the normal http/s endpoint:
S3 protocol
http protocol
Vagrant debugging shows the plugin converting this to:
https://s3-ap-southeast-2.amazonaws.com/mybucket/myfolder/?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential
etc... Which returns a 404 not foundIt DOES work if I point to the
metadata.json
URL directly; i.e.vagrant box add company/mybox "s3://mybucket/myfolder/metadata.json
therefore there are no access or permission issues.The reason for this seems to be that even though
metadata.json
has an object URI ofhttps://s3-ap-southeast-2.amazonaws.com/mybucket/myfolder/metadata.json
if you try to usehttps://s3-ap-southeast-2.amazonaws.com/mybucket/myfolder/
it will not work. This is noted in this stackoverflow answer that you need to use the aws s3 website endpoint for the index documents to work.Digging around the AWS Documentation, and they document the following:
They also note:
From the S3 Management Console, selecting the target bucket, then Properties, then Static Website Hosting - it will show the website endpoint, for example
mybucket.s3-website-ap-southeast-2.amazonaws.com
Issue
Now we come to the actual issue :) with the plugin (sorry for the long winded background).
Using the http protocol for the website endpoint still doesn't work:
Enabling debug shows why.
The s3auth plugin is reconstructing from the website endpoint on http to the api endpoint on https which doesn't support index documents or redirect according to Amazon.