search

beeyev / thumbor-s3-docker

A docker image for thumbor with AWS S3 / Minio integration for cropping, resizing, applying filters and optimizing images on the fly.
MIT License
49 stars 10 forks source link

Unable to get image from AWS S3 bucket #17

Closed tschaffter closed 1 year ago

tschaffter commented 1 year ago

I'm using the image beeyev/thumbor-s3:7.4-alpine.

Thanks for providing the example with MinIO. Thumbor works as expected with MinIO with the following configuration:

LOG_LEVEL=info

LOADER=thumbor_aws.loader
AWS_LOADER_REGION_NAME=local
AWS_LOADER_BUCKET_NAME=awesome-bucket-img
AWS_LOADER_S3_ACCESS_KEY_ID=oc
AWS_LOADER_S3_SECRET_ACCESS_KEY=changeme
AWS_LOADER_S3_ENDPOINT_URL=http://minio:9000
AWS_LOADER_ROOT_PATH=/img

RESULT_STORAGE=thumbor_aws.result_storage
AWS_RESULT_STORAGE_REGION_NAME=local
AWS_RESULT_STORAGE_BUCKET_NAME=awesome-bucket-img-cache
AWS_RESULT_STORAGE_S3_ACCESS_KEY_ID=oc
AWS_RESULT_STORAGE_S3_SECRET_ACCESS_KEY=changeme
AWS_RESULT_STORAGE_S3_ENDPOINT_URL=http://minio:9000
AWS_RESULT_STORAGE_ROOT_PATH=/img-cache

RESULT_STORAGE_STORES_UNSAFE=True
RESULT_STORAGE_EXPIRATION_SECONDS=2629746

# SECURITY_KEY=changeme
ALLOW_UNSAFE_URL=True
QUALITY=80
MAX_AGE=86400
AUTO_PNG_TO_JPG=True
HTTP_LOADER_VALIDATE_CERTS=False

I'm now trying to use two AWS S3 bucket with the following config (minus the secrets of the IAM user):

LOG_LEVEL=info

LOADER=thumbor_aws.loader
AWS_LOADER_REGION_NAME=us-east-1
AWS_LOADER_BUCKET_NAME=awesome-bucket-img
AWS_LOADER_S3_ACCESS_KEY_ID=
AWS_LOADER_S3_SECRET_ACCESS_KEY=
AWS_LOADER_S3_ENDPOINT_URL=http://awesome-bucket-img.s3-website-us-east-1.amazonaws.com
AWS_LOADER_ROOT_PATH=/img

RESULT_STORAGE=thumbor_aws.result_storage
AWS_RESULT_STORAGE_REGION_NAME=us-east-1
AWS_RESULT_STORAGE_BUCKET_NAME=awesome-bucket-img-cache
AWS_RESULT_STORAGE_S3_ACCESS_KEY_ID=
AWS_RESULT_STORAGE_S3_SECRET_ACCESS_KEY=
AWS_RESULT_STORAGE_S3_ENDPOINT_URL=http://awesome-bucket-img-cache.s3-website-us-east-1.amazonaws.com
AWS_RESULT_STORAGE_ROOT_PATH=/img-cache

RESULT_STORAGE_STORES_UNSAFE=True
RESULT_STORAGE_EXPIRATION_SECONDS=2629746

# SECURITY_KEY=changeme
ALLOW_UNSAFE_URL=True
QUALITY=80
MAX_AGE=86400
AUTO_PNG_TO_JPG=True
HTTP_LOADER_VALIDATE_CERTS=False

Here is the policy I use to allow the Thumbor IAM user to read from awesome-bucket-img and read/write to the bucket awesome-bucket-img-cache.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject*"
            ],
            "Resource": [
                "arn:aws:s3:::awesome-bucket-img",
                "arn:aws:s3:::awesome-bucket-img/*",
                "arn:aws:s3:::awesome-bucket-img-cache",
                "arn:aws:s3:::awesome-bucket-img-cache/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": [
                "arn:aws:s3:::awesome-bucket-img-cache/*"
            ]
        }
    ]
}

Thumbor fails to get the image from the AWS bucket with the following error:

  File "/usr/local/lib/python3.10/site-packages/thumbor/handlers/__init__.py", line 212, in get_image
    result = await self._fetch(self.context.request.image_url)
  File "/usr/local/lib/python3.10/site-packages/thumbor/handlers/__init__.py", line 884, in _fetch
    loader_result = await self.context.modules.loader.load(
  File "/usr/local/lib/python3.10/site-packages/thumbor_aws/loader.py", line 89, in load
    status_code, body, last_modified = await client.get_data(
  File "/usr/local/lib/python3.10/site-packages/thumbor_aws/s3_client.py", line 143, in get_data
    response = await client.get_object(Bucket=bucket, Key=path)
  File "/usr/local/lib/python3.10/site-packages/aiobotocore/client.py", line 371, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred () when calling the GetObject operation: 

2023-03-21 02:23:04 thumbor:ERROR [BaseHandler] get_image failed for url `triforce.png`. error: `An error occurred () when calling the GetObject operation: `
2023-03-21 02:23:04 tornado.access:ERROR 500 GET /unsafe/triforce.png (172.21.0.1) 213.96ms

For some reason the boto client does not provide details about the error (no error code or reason).

Do you have thoughts on why Thumbor can not read the image from the AWS S3 bucket?

Thanks for having created this Thumbor image!

beeyev commented 1 year ago

Hello, This question is related to the thumbor-aws plugin, so it's better to ask it here https://github.com/thumbor/thumbor-aws

tschaffter commented 1 year ago

The solution was to use the http://s3.us-east-1.amazonaws.com for AWS_LOADER_S3_ENDPOINT_URL and AWS_RESULT_STORAGE_S3_ENDPOINT_URL.