Closed iowaz closed 5 months ago
since we changed our S3 secret/key
Perhaps related to the permissions you've granted this new credential pair?
I'm willing to fix this myself and raise a PR
Thanks!
@simonbrowndotje I believe you are correct - do you have a list of the needed Actions that should be granted in this credential?
Update from 3080 to 3142 and now the log4j2 configuration file appers to works - now I can see the error more clearly:
[DEBUG] 2023-09-22 11:00:02.853 [http-nio-8080-exec-8] wire - http-outgoing-31 >> "GET /?versions&prefix=workspaces%2F3%2Fworkspace.json&max-keys=30&encoding-type=url HTTP/1.1[\r][\n]"
[DEBUG] 2023-09-22 11:00:02.853 [http-nio-8080-exec-8] wire - http-outgoing-31 >> "Host: (removed for privacy)[\r][\n]"
....
[DEBUG] 2023-09-22 11:00:02.863 [http-nio-8080-exec-8] wire - http-outgoing-31 << "HTTP/1.1 403 Forbidden[\r][\n]"
...
[DEBUG] 2023-09-22 11:00:02.863 [http-nio-8080-exec-8] wire - http-outgoing-31 << "<?xml version="1.0" encoding="UTF-8"?>[\n]"
[DEBUG] 2023-09-22 11:00:02.864 [http-nio-8080-exec-8] wire - http-outgoing-31 << "<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>(removed for privacy)</RequestId><HostId>(removed for privacy)</HostId></Error>[\r][\n]"
There's two actions that I would like to do:
AmazonS3FullAccess
.Sounds in the right direction?
Hi @iowaz FYI: Here is my working S3 Policy config.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::" }, { "Sid": "AllowStatement2B", "Action": [ "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::structurizr" ] }, { "Sid": "AllowStatement4B", "Effect": "Allow", "Action": [ "s3:" ], "Resource": [ "arn:aws:s3:::structurizr/*" ] } ] }
Update from 3080 to 3142 and now the log4j2 configuration file appers to works - now I can see the error more clearly:
[DEBUG] 2023-09-22 11:00:02.853 [http-nio-8080-exec-8] wire - http-outgoing-31 >> "GET /?versions&prefix=workspaces%2F3%2Fworkspace.json&max-keys=30&encoding-type=url HTTP/1.1[\r][\n]" [DEBUG] 2023-09-22 11:00:02.853 [http-nio-8080-exec-8] wire - http-outgoing-31 >> "Host: (removed for privacy)[\r][\n]" .... [DEBUG] 2023-09-22 11:00:02.863 [http-nio-8080-exec-8] wire - http-outgoing-31 << "HTTP/1.1 403 Forbidden[\r][\n]" ... [DEBUG] 2023-09-22 11:00:02.863 [http-nio-8080-exec-8] wire - http-outgoing-31 << "<?xml version="1.0" encoding="UTF-8"?>[\n]" [DEBUG] 2023-09-22 11:00:02.864 [http-nio-8080-exec-8] wire - http-outgoing-31 << "<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>(removed for privacy)</RequestId><HostId>(removed for privacy)</HostId></Error>[\r][\n]"
There's two actions that I would like to do:
- improve the error handling and logging (maybe a more detailed 5xx error page?) on this function: https://github.com/structurizr/onpremises/blob/main/structurizr-onpremises/src/main/java/com/structurizr/onpremises/component/workspace/AmazonWebServicesS3WorkspaceDao.java#L228;
- find out the specific permissions/actions that Structurizr uses - some organizations doesn't allow using the
AmazonS3FullAccess
.Sounds in the right direction?
Description
I'm having a strange issue with our on-premises installation since we changed our S3 secret/key.
The initial page (http://example.com/) loads and shows all workspaces. The same applies for the diagram page (http://example.com/share/7/diagrams), but the configuration/home page for the diagram (http://example.com/share/7) returns an status code 500 with the text:
I tried to debug changing the log4j2 levels to ALL, but nothing is logged:
My log42j file looks like this:
I had this behavior in the past and could debug as something related to trying to access the s3 object history, but could not reproduce this time.
Steps to reproduce
1 - run the Structurizr on premises pointing to S3 bucket; 2 - access the home of the workspace; 3 - get the 500 error page.
Screenshot
No response
Code sample
No response
Configuration
build: 3080 (2023-06-21T09:31:25Z
Severity
Major
Priority
Low
Resolution
I'm willing to fix this myself and raise a PR
More information
No response