S3 Storage with no Public access

In our setup we are running Discourse in an AWS EKS cluster, and expect to use an S3 Bucket in the same AWS account for media storage. The EKS pod running Discourse is provided with the Kubernetes Service Account and IAM Role. The S3 Bucket has all Public access blocked, with an ACL granting only the Bucket owner (AWS account) with read/write access.

With the Discourse Site Settings of “enabled s3 uploads”, “s3 use iam profile” and “secure media uploads” enabled, we are able to use our setup for uploading media to Discourse Topics. However due to the checks in UploadCreator module, any Site Settings related uploads eg. logo, etc. are failing as they attempt to upload the media with the S3 API private_acl parameter set to “false”. Would it not make sense that one “secure media uploads” is enabled, all content is uploaded with private_acl set to true?

Even in a completely private instance, settings uploads like Logo and Favicon are presented in the login page and are considered public. Those are also frequently downloaded by tools that don’t auth, like websites doing OpenGraph embeds, PWA installs, Google results, etc.

1 Like

In that case would it make more sense to make this dependent on the “s3 use iam profile” flag being enabled or not? If IAM profile usage is enabled, then we are sort of confirming that the bucket has no public access, and hence will need to be accessed with a private ACL. I could be wrong, but I see no reason why one would use this setting in Discourse, unless they cannot make their bucket public.

No, that doesn’t follow.

This site here uses s3 use iam profile and also have a public bucket. There is no correlation between one and the other at all.

s3 use iam profile only means “I don’t want to pass a key/secret pair, go ahead and obtain that automatically for me from the AWS internal API”.

Fair enough. Then I guess the only solution for us would be to have another setting flag to specify the s3 bucket ACL being private, or does this sound illogical?

That would address your needs, but it’s not something we plan to do in our roadmap, as having public buckets with file listing disabled and the actual files having individual private ACLs is working fine for us thus far.

Why isn’t public bucket with private files possible for your use case?

3 Likes

Well this is a corporate level decision in our case. All assets, including the Bucket, are supposed to be private, and are to be made accessible by IAM roles. To deliver the Bucket objects to the Discourse frontend, we have built an S3 Proxy application running in the same EKS cluster, and configured it as a CDN in Discourse settings. Now all that remains is the ability to upload Site Settings assets like logo, etc. as private, for which we need this flag. By default Discourse tries to upload such assets as public, which I would like to override with this new flag.

1 Like