Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SonataMediaBundle - S3 AWS: 'The configured bucket "my-bucket" does not exist

I'm trying to configure the AWS s3 filesystem on my Sonata-Project, but I always get the following error:

The configured bucket "my-bucket" does not exist.

My sonata_media.yml:

cdn:
    server:
        path: http://%s3_bucket_name%.s3-website-%s3_region%.amazonaws.com

providers:
    image:
        filesystem: sonata.media.filesystem.s3
    file:
        resizer:    false
        allowed_extensions: ['pdf']
        allowed_mime_types: ['application/pdf', 'application/x-pdf']


filesystem:
    s3:
        bucket: %s3_bucket_name%
        accessKey: %s3_access_key%
        secretKey: %s3_secret_key%
        region: %s3_region%

I added the following parameters to my parameters.yml:

s3_bucket_name: my-bucket
s3_region: eu-central-1
s3_access_key: MY_ACCESS_KEY
s3_secret_key: MY_SECRET_KEY

At the moment I use this library:

    "aws/aws-sdk-php": "2.8.10"

(With the latest versions I got an error with the s3_region parameter.)

Bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

I think I don't have to say the bucket IS there.

Does anyone have an idea, what the problem is?

like image 304
Spomsoree Avatar asked Oct 30 '22 14:10

Spomsoree


1 Answers

So, I ran in this issue too and spent about 3 hours to fix it.

TL; DR

I am pretty sure you used aws-sdk-php 3 so you have to switch your configuration to use this one:

services:
    acme.aws_s3.client:
        class: Aws\S3\S3Client
        factory: [Aws\S3\S3Client, 'factory']
        arguments:
            -
                version: latest
                region: %amazon_s3.region%
                credentials:
                    key: %amazon_s3.key%
                    secret: %amazon_s3.secret%

instead of this one:

services:
    acme.aws_s3.client:
        class: Aws\S3\S3Client
        factory: [Aws\S3\S3Client, 'factory']
        arguments:
            -
                key: %amazon_s3.key%
                secret: %amazon_s3.secret%
                region: %amazon_s3.region%

as described here. So you always connected to AWS without any credentials.

Configure knp_gaufrette in a correct way

1) Create a IAM user

Don't use your root access key and access secret to interact with Amazon S3. Create a new account with the access type "Programmatic access" to explicit allow the interaction with a single bucket. I called my user s3-bucket-staging and Amazon gave it the id arn:aws:iam::REMOVED:user/s3-bucket-staging.

aws-create-account

You don't have to add a group or attach any policies. Make sure you save the generated Access key ID and Secret access key since this is the only chance you have to do so.

2) Edit your bucket policy

So for a very basic bucket with global read but no list permission (so people can access single files but not the list of all files) you can then add the following policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1489062408719",
    "Statement": [
        {
            "Sid": "AllowGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::BUCKET-NAME/*"
        },
        {
            "Sid": "AllowListBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::REMOVED:user/s3-bucket-staging"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::BUCKET-NAME"
        },
        {
            "Sid": "AllowPutObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::REMOVED:user/s3-bucket-staging"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::BUCKET-NAME/*"
        }
    ]
}

See also:

  • Specifying a Principal in a Policy
  • IAM Policy Elements: Principal
  • Providing Credentials to the SDK
  • Request via aws cli client works fine but using PHP SDK fails with 403 clientError Forbidden
like image 189
Thomas Kekeisen Avatar answered Nov 02 '22 10:11

Thomas Kekeisen