Do I need a second aws S3 bucket for backup?


(Praveen Kumar P S) #1

Hi,
I have setup image upload to aws S3. Its is working fine, but backup is not working with s3. I have created a new bucket for backup and added the bucket name in the admin panel. It gives me following error in logs,

Aws::S3::Errors::AccessDenied (Access Denied)
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/aws-sdk-core-3.6.0/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call'

Do I need a second S3 bucket for backup? If so, do i need create a new policy for my new bucket and attach it to my IAM?

Need some help guys!!


(Praveen Kumar P S) #2

Need some serious help…!! Anybody there?


(Bhanu Sharma) #3

as it clearly says access is denied! so The first thing that You could start investigating with is whether your IAM user has write access to that bucket or not! …


(Praveen Kumar P S) #4

Thanks for the replay. I am new to aws S3 and struggling with it. Could please tell me how to do that? Do I need to create a new policy in order grant write access or should i add this already created policy? I am little confused ?


(Bhanu Sharma) #5

Do Some research on the AWS Docs about how to create a Policy for IAM users and then Grant The IAM user Read & Write (I Guess it’s Called Get & Put on amazon) Access to all the buckets, This way, You’ll be able to use the same IAM user on both buckets … or You can tweak the policy to explicitly state the buckets and the Access levels granted to the IAM user.

Refer Editing IAM Policies - AWS Identity and Access Management

I’ve used AWS S3 in Past for a Client and Have been able to configure both, Backup Uploads and Image Uploads to S3 without much trouble.

Though, I Used separate buckets at that time.

I’ll try to recreate Your issue and Share my Findings but For now, I’d suggest Modifying Your IAM user so that it has necessary permissions on Buckets.

Someone more experienced may perhaps be able to explain everything in more details.


(Praveen Kumar P S) #6

Thanks for the quick response. I believe, I almost get it. I have one more doubt, since its a backup, which Action should I choose in my policy,

"Action": "s3:*",

or

"Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],

(Bhanu Sharma) #7

This should suffice but I’d suggest try a backup with

and if that goes through successfully, try manual assignment of more restrictive policies.


(Praveen Kumar P S) #8

create a new policy with “Action”: “s3:* and backup successfully created in the new bucket. Is their any need to restrict the permission for backup? Do you think “Action”: “s3:*” is fine for backup?


(Bhanu Sharma) #9

Unless Your AWS account is shared or Your Discouse is having multiple admins, it’s okay (but not recommended) to leave it to s3.*

Because that potentially means full control over s3 service so the worse that someone could do is to create a bunch of buckets and upload data to them … But that will only happen if somehow Your IAM credentials are leaked.


(Praveen Kumar P S) #10

Thanks mate. You solved one of my problem in 2017.
Happy new year!! :tada::fireworks::sparkler::confetti_ball: