AWS S3 upload - unable to sign request without credentials set

Support
1

Hey guys,

I´m using 3.4.0.beta3-dev, and I´m getting the mentioned error (but only in ui, not the logs) when trying to upload an image into a topic.

my config is thus:


["s3_upload_bucket", "<bucketname>/discourse-uploads"],
 ["s3_backup_bucket", "<bucketname>/discourse-backups"],
 ["s3_region", "eu-central-1"],
 ["s3_use_acls", "f"],
 ["enable_direct_s3_uploads", "f"],
 ["enable_s3_uploads", "t"],
 ["s3_access_key_id", ""],
 ["s3_secret_access_key", ""]]

and I´m using the ec2 instance profile and override the credentials

image
image797×106 12.2 KB

I get the error in ui:

image
image403×157 2.64 KB

but the log is telling me it was ok:

Started POST "/uploads.json?client_id=bb1ab05dbb9d4d1f9930d05f28b17f94" for 10.x.x.x at 2024-12-13 11:46:35 +0000
Processing by UploadsController#create as JSON
  Parameters: {"upload_type"=>"composer", "pasted"=>"true", "name"=>"image.png", "type"=>"image/png", "sha1_checksum"=>"a0f0fe1abd27ce137e0e1b2a28cd9348a08112ff", "file"=>#<ActionDispatch::Http::UploadedFile:0x00007f50b8b01db8 @tempfile=#<Tempfile:/tmp/RackMultipart20241213-386-i7xkqa.png>, @content_type="image/png", @original_filename="image.png", @headers="Content-Disposition: form-data; name=\"file\"; filename=\"image.png\"\r\nContent-Type: image/png\r\n">, "client_id"=>"bb1ab05dbb9d4d1f9930d05f28b17f94"}
Completed 200 OK in 36ms (Views: 0.1ms | ActiveRecord: 0.0ms (0 queries, 0 cached) | GC: 0.0ms)
Completed 418  in 23ms (Views: 0.2ms | ActiveRecord: 0.0ms (0 queries, 0 cached) | GC: 0.4ms)

The bucket is empty afterwards (just setting this up with a fresh bucket)

Any hints ?

Thanks,

WS

1 Like
2

Make sure your EC2 instance has the right permissions to upload to S3, like s3:PutObject and s3:GetObject. Double-check your S3 bucket’s region and access settings. You might also want to try turning on s3_use_acls: true if necessary. You can also test uploading directly with AWS CLI to rule out permission issues. And if you’re not using direct uploads, just leave enable_direct_s3_uploads: f as is. Should help fix the problem!

1 Like
3

hmmmm…

My EC2Instance Roles policy look loike this:


[
    {
    "Action": [
        "s3:PutObject",
        "s3:AbortMultipartUpload",
        "s3:PutLifecycleConfiguration",
        "s3:PutObjectVersionAcl",
        "s3:PutBucketCORS",
        "s3:DeleteObject",
        "s3:PutObjectAcl",
        "s3:Get*",
        "s3:List*"
    ],
    "Resource": [
        "arn:aws:s3:::<data-bucket>",
        "arn:aws:s3:::<data-bucket>/*",
        "arn:aws:s3:::<backup-bucket>",
        "arn:aws:s3:::<backup-bucket>/*"
    ],
    "Effect": "Allow"
}
]

Bucket permissions look like this, but security hub already screams at me, that it´s too open :frowning:

The image is a screenshot of a settings page from Amazon Web Services (AWS) configuring public access settings for a bucket. (Captioned by AI)
The image is a screenshot of a settings page from Amazon Web Services (AWS) configuring public access settings for a bucket. (Captioned by AI)1967×537 94.9 KB

I can upload files from ec2 instance without problems with cli (instanceprofile works in that regard)

UPDATE: noticed, that the upload progress reaches 100 %, and only after that I´m getting the error (had to be quick with Greenshot to capture this :smiley: )

The image is a screenshot of a forum or discussion board interface with a text editor and a progress bar indicating an ongoing upload process for an image. (Captioned by AI)
The image is a screenshot of a forum or discussion board interface with a text editor and a progress bar indicating an ongoing upload process for an image. (Captioned by AI)871×493 17.3 KB

hmmmm … seems he was successful uploading the multiparts, but couldn´t finish the process afterwards

4

Tried now, to set up IAM User with credentials and give it s3:* permissions, and now the upload works, but discourse can´t display it afterwards:

The image failed to load, resulting in a black screen with the text "The image could not be loaded." displayed. (Captioned by AI)
The image failed to load, resulting in a black screen with the text "The image could not be loaded." displayed. (Captioned by AI)716×269 4.46 KB

As I´m working in a company, and there are SCP (Service control policies) active for our accounts, it seems that public access is generally blocked

The image shows a settings page where public access is blocked for a bucket in Amazon S3. (Captioned by AI)
The image shows a settings page where public access is blocked for a bucket in Amazon S3. (Captioned by AI)1991×438 74.2 KB

Seems to be no S3 for me (and everyone having the same restrictions for his accounts)

Giving up now … :frowning:

5

Hope this works for you: https://www.youtube.com/watch?v=qjebh5AOZ8E . This would work for you if it’s not explicitly blocked by your company.

6

I was getting the same error message as the original poster here, with a similar configuration. I verified that I could get and put s3 objects using the AWS CLI from my EC2 instance even though Discourse was unable to do that.

I created a new IAM user with the same permissions policy as my EC2 instance role and used an access key instead of EC2 instance profile and now uploads work fine.

So in my case it wasn’t an issue of changing permissions, which makes me think that there may be a bug in instance profile authentication. Is there any way for me to get more information about why this was failing?