I'm trying to configure the AWS s3 filesystem on my Sonata-Project, but I always get the following error:
The configured bucket "my-bucket" does not exist.
My sonata_media.yml
:
cdn:
server:
path: http://%s3_bucket_name%.s3-website-%s3_region%.amazonaws.com
providers:
image:
filesystem: sonata.media.filesystem.s3
file:
resizer: false
allowed_extensions: ['pdf']
allowed_mime_types: ['application/pdf', 'application/x-pdf']
filesystem:
s3:
bucket: %s3_bucket_name%
accessKey: %s3_access_key%
secretKey: %s3_secret_key%
region: %s3_region%
I added the following parameters to my parameters.yml:
s3_bucket_name: my-bucket
s3_region: eu-central-1
s3_access_key: MY_ACCESS_KEY
s3_secret_key: MY_SECRET_KEY
At the moment I use this library:
"aws/aws-sdk-php": "2.8.10"
(With the latest versions I got an error with the s3_region parameter.)
Bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
I think I don't have to say the bucket IS there.
Does anyone have an idea, what the problem is?
So, I ran in this issue too and spent about 3 hours to fix it.
I am pretty sure you used aws-sdk-php 3
so you have to switch your configuration to use this one:
services:
acme.aws_s3.client:
class: Aws\S3\S3Client
factory: [Aws\S3\S3Client, 'factory']
arguments:
-
version: latest
region: %amazon_s3.region%
credentials:
key: %amazon_s3.key%
secret: %amazon_s3.secret%
instead of this one:
services:
acme.aws_s3.client:
class: Aws\S3\S3Client
factory: [Aws\S3\S3Client, 'factory']
arguments:
-
key: %amazon_s3.key%
secret: %amazon_s3.secret%
region: %amazon_s3.region%
as described here. So you always connected to AWS without any credentials.
knp_gaufrette
in a correct wayDon't use your root access key and access secret to interact with Amazon S3. Create a new account with the access type "Programmatic access" to explicit allow the interaction with a single bucket. I called my user s3-bucket-staging
and Amazon gave it the id arn:aws:iam::REMOVED:user/s3-bucket-staging
.
You don't have to add a group or attach any policies. Make sure you save the generated Access key ID and Secret access key since this is the only chance you have to do so.
So for a very basic bucket with global read but no list permission (so people can access single files but not the list of all files) you can then add the following policy:
{
"Version": "2012-10-17",
"Id": "Policy1489062408719",
"Statement": [
{
"Sid": "AllowGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/*"
},
{
"Sid": "AllowListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REMOVED:user/s3-bucket-staging"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::BUCKET-NAME"
},
{
"Sid": "AllowPutObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REMOVED:user/s3-bucket-staging"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/*"
}
]
}
See also:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With