Access denied on image upload

cobyism / ghost-on-heroku

One-button Heroku deploy for the Ghost blogging platform.

MIT License

743 stars 686 forks source link

Access denied on image upload #166

Open simon-asp opened 5 years ago

simon-asp commented 5 years ago

Hey! I read all the old issues on the AWS issues, but I can't get it to work.

I have double checked all config vars in heroku.

Created a new IAM user in AWS and gave it this policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt13242300",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::my-bucket/*"
        ]
    }
]
}

I used us-east-1 as mentioned here.

What could be wrong?

topherolson commented 5 years ago

@simon-asp I ran into the same issue. I was able to fix this by editing my public access list controls for the bucket in AWS.

Manage public access control lists (ACLs) Block new public ACLs and uploading public objects (Recommended): False Remove public access granted through public ACLs (Recommended): False

I have to admit, I'm not entirely sure what the security vulnerabilities this creates. If you have any info on this I'd love to hear about it.

simon-asp commented 5 years ago

@topherolson Thanks! that didn't work for me.

Can you show me what you did otherwise?

topherolson commented 5 years ago

I did the standard install. So I would just make sure your Config Vars in Heroku are set properly, i.e. proper naming convention for your Bucket region.

calebl commented 4 years ago

I'm running into this same issue. @simon-asp were you able to resolve? I have checked my credentials using the aws cli tool and I'm able to upload from there.

paulmelnikow commented 4 years ago

I ran into the Access Denied issue, and later a different issue where the image would successfully i upload but then couldn’t be displayed correctly. Eventually I was able to get the uploads working, though only by unsetting S3_ASSET_HOST_URL.

Have you checked whether you can create publicly readable assets from the CLI?

cacabo commented 4 years ago

Followed all of the above and can upload a resource via the CLI with the keys I provided—not sure why this isn't working and would appreciate any help!

cacabo commented 4 years ago

Ah actually updating the bucket policy per this repo seems to have done the trick!

wsun commented 3 years ago

I had this "Access denied" issue too after blocking public access to my S3 bucket (I use Cloudfront to access images) - realized that the S3 adapter this project uses defaults to a public ACL when adding new images, so specifying a private ACL resolved this issue for me.