Do I need a second aws S3 bucket for backup?

Hi,
I have setup image upload to aws S3. Its is working fine, but backup is not working with s3. I have created a new bucket for backup and added the bucket name in the admin panel. It gives me following error in logs,

Aws::S3::Errors::AccessDenied (Access Denied)
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/aws-sdk-core-3.6.0/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call'

Do I need a second S3 bucket for backup? If so, do i need create a new policy for my new bucket and attach it to my IAM?

Need some help guys!!

1 Like

Need some serious help…!! Anybody there?

as it clearly says access is denied! so The first thing that You could start investigating with is whether your IAM user has write access to that bucket or not! …

1 Like

Thanks for the replay. I am new to aws S3 and struggling with it. Could please tell me how to do that? Do I need to create a new policy in order grant write access or should i add this already created policy? I am little confused ?

Do Some research on the AWS Docs about how to create a Policy for IAM users and then Grant The IAM user Read & Write (I Guess it’s Called Get & Put on amazon) Access to all the buckets, This way, You’ll be able to use the same IAM user on both buckets … or You can tweak the policy to explicitly state the buckets and the Access levels granted to the IAM user.

Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-inline-policy-console

I’ve used AWS S3 in Past for a Client and Have been able to configure both, Backup Uploads and Image Uploads to S3 without much trouble.

Though, I Used separate buckets at that time.

I’ll try to recreate Your issue and Share my Findings but For now, I’d suggest Modifying Your IAM user so that it has necessary permissions on Buckets.

Someone more experienced may perhaps be able to explain everything in more details.

Thanks for the quick response. I believe, I almost get it. I have one more doubt, since its a backup, which Action should I choose in my policy,

"Action": "s3:*",

or

"Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
1 Like

This should suffice but I’d suggest try a backup with

and if that goes through successfully, try manual assignment of more restrictive policies.

2 Likes

create a new policy with “Action”: “s3:* and backup successfully created in the new bucket. Is their any need to restrict the permission for backup? Do you think “Action”: “s3:*” is fine for backup?

Unless Your AWS account is shared or Your Discouse is having multiple admins, it’s okay (but not recommended) to leave it to s3.*

Because that potentially means full control over s3 service so the worse that someone could do is to create a bunch of buckets and upload data to them … But that will only happen if somehow Your IAM credentials are leaked.

1 Like

Thanks mate. You solved one of my problem in 2017.
Happy new year!! :tada::fireworks::sparkler::confetti_ball:

1 Like