Search code examples
amazon-web-servicesamazon-s3strapi

Strapi S3 integration - 403 when trying to preview uploaded image

I have followed this guide on how to deploy my Strapi app on AWS. I have also read other Strapi guides on the same subject, all having the exact same way of configuring the S3 interaction.

Everything works fine, except the previews/downloads of images from S3. Uploads work as intended.

For the previews, I first had issues with CSP, but after having changed my config/middlewares.ts to something similar to this answer, that seems to work. At least I guess so, because the CSP error disappeared, but instead I started getting GET https://<bucket>.amazonaws.com/<file>.jpg?width=736&height=920 403 (Forbidden)...

My guess is that there's something wrong with my S3 permissions settings, but they are exactly as instructed in the guide above (my first link):

Block public access: enter image description here

I haven't touched the Bucket policy, Object ownership, ACL and CORS settings, so they look as follows:

Bucket policy: none

Object Ownership: Bucket owner preferred (as instructed by the guide above).

ACL: "Bucket owner (your AWS account)" has List, Write access on Objects, and Read, Write on Bucket ACL. The other roles (Everyone, Authenticated users group, S3 log delivery group) have no access whatsoever.

CORS: None

I have configured the Strapi application with the credentials (access key id + access key secret) of the IAM user which is browsing the above settings (bucket owner).

I could of course fool around with the S3 settings (like unchecking ALL boxes under "Block public access", and open READ access for "Everyone" under "ACL"), but I of course don't want to be less restrictive than what is specified by the available guides...

Can anyone see anything that looks off in this setup?

Solution

  • I initially found some more information than what was present in all guides about what kind of configuration was expected on the S3 side, on the bottom of the upload-aws-s3 provider page. So I added the specified Policy actions and CORS config. However, I still got 403 when trying to preview the uploaded images in the deployed admin panel...

    I finally got it working accidentally a day later when I tested around different bucket settings. I temporarily blocked all public access (checked all four check boxes), and then unchecked the first two checkboxes again (as specified in the image in my original post).

    I guess the Policy & CORS settings weren't properly updated once I changed them, and just needed a shake (through updating the settings again) in order to get applied...