- 最新
- 最多得票
- 最多評論
Have you reviewed what ACLs you have on your bucket. You may have a ACL for public access which now needs moving to the policy. You’ll need a put object also on the bucket policy?
You can’t have an ACL and bucket owner enforced.
Hi. I am sorry you're having this trouble. You are correct, the behavior just changed. This error:
InvalidBucketAclWithObjectOwnership
is usually only seen when you attempt to create a new S3 bucket that has ACLs but you have bucket ownership enforced. Since that's not what you're doing, we need to figure out whats actually happening when your website tries to commit the image. It is possible that error is coming from RightAWS::S3Interface doing some kind of explicit object-level ACL operation when it does the PUT.
- What kind of website is it that the users are uploading images through? Rails maybe?
- Whatever it is, what kind of authentication is it doing for the PUT operation? How is it being granted access?
- I'm guessing you want the bucket public for GETs, is that correct?
If you enable enable S3 Server Access Logging, we should be able to see specifically what calls are being made by RightAWS:S3Interface
Side note: even though bucket policies are recommended now, there's nothing wrong with ACLs per se. They should have continued to work if nothing changed. I'm a bit puzzled why anything broke at all. Hopefully the answer will emerge once we see the details of the S3 API calls.
Yes, this is a Rails 2.3.2 app. On the model we have: has_attached_file :image, :storage => :s3, :s3_credentials => "#{RAILS_ROOT}/config/s3.yml", :path => "images/:attachment/:id/:style.:extension", :bucket => 'bucketname', :styles => { :thumb => {:geometry => "160x160>", :processors => [:cropper]} ... }
The Gem Paperclip is used to manage the uploads. Let me know if there's anything specific I should add related to that.
Previously it was public for read and writes.
Unfortunately, Paperclip expects to use ACLs. I can see it explicitly trying to interact with them in the gem source. It has also been deprecated for a few years, so an update to make it work with bucket policies is unlikely. To get this application working in the short term, you will need to switch your configuration back to having ACLs enabled and Object Ownership not enforced, and troubleshoot why it stopped working in the first place.
S3 Server Access Logging will be helpful in that process: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
Given the circumstances, I would also recommend opening a case with AWS Support: https://aws.amazon.com/premiumsupport/
I currently have ACLs disabled. I thought I was only able to do that if there are no ACLs on the bucket? At Amazon S3 > Buckets > bucketname > Permissions > Access control list (ACL), I cannot edit and have the message "This bucket has the bucket owner enforced setting applied for Object Ownership When bucket owner enforced is applied, use bucket policies to control access." Is there another way an ACL can be on it? And do you have an example of the put for the bucket policy?