I recently moved over a thousand Paperlclip attachments from local storage to Amazon S3 using the s3cmd tool. You can find details on how I accomplished this here, but to summarize, I used the following command to migrate all the old attachments.
我最近使用s3cmd工具从本地存储移动了一千个Paperlclip附件到Amazon S3。您可以在此处找到有关我如何完成此操作的详细信息,但总结一下,我使用以下命令迁移所有旧附件。
s3cmd sync my-app/public/system/ s3://mybucket
I updated my codebase to make use of the new S3 bucket, I've tested the connection and everything works fine. In fact, I can upload new attachments to the remote S3 bucket through my application and view/download them no problem. However, it seems somewhere along the lines Paperclip and S3 aren't in sync with one another, all the attachments that I moved over to my s3 bucket (blurred out in the image below) are returning 403s if I try and access them through my application. But new attachments uploaded to the same bucket are loaded just fine.
我更新了我的代码库以使用新的S3存储桶,我已经测试了连接,一切正常。事实上,我可以通过我的应用程序将新附件上传到远程S3存储桶并查看/下载它们没问题。然而,似乎某些地方Paperclip和S3彼此不同步,我移动到我的s3桶的所有附件(在下图中模糊)返回403s,如果我尝试通过我访问它们应用。但是上传到同一个存储桶的新附件都可以正常加载。
I have an IAM group setup with the following configuration:
我有一个具有以下配置的IAM组设置:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::mybucket/*"
}
]
}
Judging from the fact that I can upload new attachments to S3 I'm going to say the connection established just fine. I believe I setup s3cmd to connect to my bucket via a different IAM user account than the one accessing the bucket through my application. Could it perhaps be a permission issue? If so, can I change the permissions above in any way to grant access to those files?
从我可以上传新的附件到S3的事实来看,我会说连接建立得很好。我相信我设置s3cmd通过不同的IAM用户帐户连接到我的存储桶,而不是通过我的应用程序访问存储桶的用户帐户。它可能是一个许可问题吗?如果是这样,我可以以任何方式更改上述权限以授予对这些文件的访问权限吗?
I'm using the aws-sdk to integrate paperclip with S3.
我正在使用aws-sdk将paperclip与S3集成。
Edit: I thought it might have been an ownership issue as I uploaded the files using admin keys rather than the ones I use in my application. I purged the bucket and resynced s3cmd after configuring it to use the same keys that the application was using. I'm met with the same result, however.
编辑:我认为这可能是一个所有权问题,因为我使用管理员密钥上传文件而不是我在我的应用程序中使用的文件。在配置它以使用应用程序使用的相同密钥后,我清除了桶并重新启动了s3cmd。然而,我遇到了同样的结果。
Edit2: I can verify my permissions & connection further by going into my production console for my application and interacting with my bucket manually. Everything is working perfectly fine, i.e. I can retrieve files that my browser returns 403s for.
Edit2:我可以通过进入我的应用程序的生产控制台并手动与我的存储桶交互来进一步验证我的权限和连接。一切都工作得很好,即我可以检索我的浏览器返回403s的文件。
> s3 = AWS::S3.new
=> <AWS::S3>
> bucket = s3.buckets['mybucket']
=> #<AWS::S3::Bucket:mybucket>
> bucket.exists?
=> true
> image = bucket.objects["SomeFolder/SomeImage.jpg"]
=> <AWS::S3::S3Object:SomeFolder/SomeImage.jpg>
> puts image.read
=> ǃ���^�D��턣�����=m������f ... machine code
1 个解决方案
#1
14
It looks like your S3 bucket policy is not allowing Public Read access from Public users properly. Try something like:
看起来您的S3存储桶策略不允许公共用户正确进行公共读取访问。尝试以下方法:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-brand-new-bucket/*"
]
}
]
}
The fact you are able to access these files as a public user when you manually apply the public read permissions confirms your bucket policy is not granting read access correctly.
当您手动应用公共读取权限时,您能够以公共用户身份访问这些文件,这一事实可确认您的存储桶策略未正确授予读取权限。
When you use a public S3 URL to access the files, there is no authenticated user.
使用公共S3 URL访问文件时,没有经过身份验证的用户。
#1
14
It looks like your S3 bucket policy is not allowing Public Read access from Public users properly. Try something like:
看起来您的S3存储桶策略不允许公共用户正确进行公共读取访问。尝试以下方法:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-brand-new-bucket/*"
]
}
]
}
The fact you are able to access these files as a public user when you manually apply the public read permissions confirms your bucket policy is not granting read access correctly.
当您手动应用公共读取权限时,您能够以公共用户身份访问这些文件,这一事实可确认您的存储桶策略未正确授予读取权限。
When you use a public S3 URL to access the files, there is no authenticated user.
使用公共S3 URL访问文件时,没有经过身份验证的用户。