Hard Coded canned ACL parameter on S3.upload in uploadfs/s3.js copyIn method #55
Description
Hi Team,
Just spent a chunk of time working through an access issue, thought I would share the context. I don't want to have my website assets bucket publicly accessible directly from the bucket. I also don't want Apostrophe linking to images directly via the bucket URL, nor via HTTP (since it causes HTTPS sites to show up as only 'paritally secure' in the browser)
As such my S3 assets bucket has public access turned off, and is being presented through Cloudfront with access restricted via a Cloudfront "Origin Access Identity" to enable public access via HTTPs:// URLs. Apostrophe is configured with an IAM identity (key / secret) to allow uploadfs to process files in and with the options 'https' and 'cdn' parameters in the app.js file apostrophe-attachments/uploadfs module configuration section.
'apostrophe-attachments': {
uploadfs: {
https: true,
cdn: {
enabled: true,
url: 'https://assets.urbanaxes.com'
},
backend: 's3',
secret: '<IAM Secret>',
key: '<IAM key>',
bucket: 'assets.urbanaxes.com',
region: 'us-east-1'
}
}
This configuration results in a generic S3 'AccessDenied' error being returned from Apostrophe when trying to upload files through the CMS.
After investigation and verification that the credentials were working, I determined that you cannot apply the 'public-read' canned ACL to an objects in buckets that have all public access restricted.
Uploadfs currently has the 'public-read' ACL hard coded into the client.upload call params in the s3.js copyIn method (circa line 91 or so).
var params = {
ACL: 'public-read',
Key: cleanKey(path),
Body: inputStream,
ContentType: contentType
};
While I haven't exhaustively tested all the available ACL options, changing the ACL to 'private' successfully resolved the issue / prevented the error from recurring.
Longer term, enabling the ACL to be configurable, via the module configuration and possibly via environment variable, would seem like a reasonable approach?
Thanks,
Shaun