S3 Empty Folder 403 - Githubissues

aws / aws-sdk-php-laravel

A Laravel 5+ (and 4) service provider for the AWS SDK for PHP

http://aws.amazon.com/sdkforphp/

Apache License 2.0

1.65k stars 245 forks source link

S3 Empty Folder 403 #240

Open Liam-Sutcliffe opened 7 months ago

Liam-Sutcliffe commented 7 months ago

Describe the bug

When I try create an empty folder from php artisan tinker I receive a 403.

Expected Behavior

I would expect to receive "= true" and and a folder to be created in my S3 bucket.

Current Behavior

League\Flysystem\UnableToWriteFile Unable to write file at location: 555/. Error executing "PutObject" on "https://s3.eu-west-2.amazonaws.com/bucketname/555/"; AWS HTTP error: Client error: PUT https://s3.eu-west-2.amazonaws.com/bucketname/555/ resulted in a 403 Forbidden response: <?xml version="1.0" encoding="UTF-8"?>

AccessDeniedAccess DeniedXXXXXX ### Reproduction Steps Process that fails: php artisan tinker Storage::disk('s3')->makeDirectory("555/") The above works on version 3.6.0 but not 3.8.X which we require for our L10 app. Processes that work but aren't a solution: We are running this from an ECS task, if we run "aws s3api put-object --bucket bucketname --key 555/ --content-length 0" from the container it will create the folder. If we run Storage::disk('s3')->put('555/testfile.txt', file_get_contents('testfile.txt')); it creates folder and the file in S3. ### Possible Solution Temporary solution is to take dummy file: Storage::disk('s3')->put('555/testfile.txt', file_get_contents('testfile.txt')); ### Additional Information/Context _No response_ ### SDK version used 3.8.1 ### Environment details (OS name and version, etc.) AWS ECS EC2 Launch Type

yenfryherrerafeliz commented 6 months ago

Hi @Liam-Sutcliffe, I am not familiar with the command that you are using, but I guess it is for creating a s3 bucket, and if so then, the issue you are getting indicate that the credentials that you are using do not have permissions to create buckets. So please make sure you have the proper rights for performing this operation.

Please let me know if that helps or you have any other question.

Thanks!

Liam-Sutcliffe commented 6 months ago

Hi @yenfryherrerafeliz, The S3 bucket already exists we are simply trying to create an empty folder within the S3 bucket(I know it's not really a folder really but that's the easiest way to describe it). The permissions seem to be in place though as when I use tinker I can create a folder if I also create a file at the same time. The issue arrises when I'm trying to create an empty folder in the bucket. I even went as far as to create a new IAM user with S3 administrator, when I use the AWS CLI command with the credentials I can make an empty folder then when I use tinker it gets a 403 response but all other PUT actions work. Any insight would be much appreciated :)

KaloyanYosifov commented 4 months ago

Hey @Liam-Sutcliffe

I had the same issue recently. I debugged it and found out the issue is in https://github.com/thephpleague/flysystem-aws-s3-v3/blob/3.x/AwsS3V3Adapter.php#L250

If you do not have directory_visibility on your s3 config it will default to public visibility. This won't be an issue if you have putObjectAcl permission for the IAM role or user.

If you do not have putObjectAcl permission then you will get this error, because it is trying to change the visibility of the directory to public (regardless of what you have set as visiblity in the config).

Personally I think this is a bug in that library and it should fallback to the visibility config if it cannot find directory_visibility. (So maybe we can open an issue there)
Also the default public visibility for the directory might be a security issue (not sure if files in the folder get set to public by default if the folder is public in S3).

Liam-Sutcliffe commented 4 months ago

Hi @KaloyanYosifov Thanks for this I'll check it out :)