AWS S3: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting)
Yesterday, out of the blue when users upload images on my site an error is thrown:
##### RightAws::S3Interface returned an error: 400 Bad Request
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidBucketAclWithObjectOwnership</Code><Message>Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting</Message><RequestId>REQUEST</RequestId><HostId>ID$
##### RightAws::S3Interface request: https://bucket.s3.amazonaws.com:443/ ####
RightAws::AwsError (InvalidBucketAclWithObjectOwnership: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting):
This had never happened before, but earlier I had received an email from AWS:
Hello,
We are reaching out to inform you that starting in April 2023 Amazon S3 will change the default security configuration for all new S3 buckets. For new buckets created after this date, S3 Block Public Access will be enabled, and S3 access control lists (ACLs) will be disabled.
The majority of S3 use cases do not need public access or ACLs. For most customers, no action is required. If you have use cases for public bucket access or the use of ACLs, you can disable Block Public Access or enable ACLs after you create an S3 bucket. In these cases, you may need to update automation scripts, CloudFormation templates, or other infrastructure configuration tools to configure these settings. To learn more, read the AWS News blog [1] and What's New announcement [2] on this change or visit our user guide for S3 Block Public Access [3] and S3 Object Ownership to disable ACLs [4]. Also, see our user guide for AWS CloudFormation on these settings [5][6].
This seems related, although it is only supposed to apply to new buckets. However, using guides I found related to this I changed the settings on my bucket by adding a bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1380877761162",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*"
}
]
}
And changing the Object Ownership
Despite these changes I am getting the same error. What would be causing this?
- Newest
- Most votes
- Most comments
Have you reviewed what ACLs you have on your bucket. You may have a ACL for public access which now needs moving to the policy. You’ll need a put object also on the bucket policy?
You can’t have an ACL and bucket owner enforced.
Hi. I am sorry you're having this trouble. You are correct, the behavior just changed. This error:
InvalidBucketAclWithObjectOwnership
is usually only seen when you attempt to create a new S3 bucket that has ACLs but you have bucket ownership enforced. Since that's not what you're doing, we need to figure out whats actually happening when your website tries to commit the image. It is possible that error is coming from RightAWS::S3Interface doing some kind of explicit object-level ACL operation when it does the PUT.
- What kind of website is it that the users are uploading images through? Rails maybe?
- Whatever it is, what kind of authentication is it doing for the PUT operation? How is it being granted access?
- I'm guessing you want the bucket public for GETs, is that correct?
If you enable enable S3 Server Access Logging, we should be able to see specifically what calls are being made by RightAWS:S3Interface
Side note: even though bucket policies are recommended now, there's nothing wrong with ACLs per se. They should have continued to work if nothing changed. I'm a bit puzzled why anything broke at all. Hopefully the answer will emerge once we see the details of the S3 API calls.
Yes, this is a Rails 2.3.2 app. On the model we have: has_attached_file :image, :storage => :s3, :s3_credentials => "#{RAILS_ROOT}/config/s3.yml", :path => "images/:attachment/:id/:style.:extension", :bucket => 'bucketname', :styles => { :thumb => {:geometry => "160x160>", :processors => [:cropper]} ... }
The Gem Paperclip is used to manage the uploads. Let me know if there's anything specific I should add related to that.
Previously it was public for read and writes.
Unfortunately, Paperclip expects to use ACLs. I can see it explicitly trying to interact with them in the gem source. It has also been deprecated for a few years, so an update to make it work with bucket policies is unlikely. To get this application working in the short term, you will need to switch your configuration back to having ACLs enabled and Object Ownership not enforced, and troubleshoot why it stopped working in the first place.
S3 Server Access Logging will be helpful in that process: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
Given the circumstances, I would also recommend opening a case with AWS Support: https://aws.amazon.com/premiumsupport/
Relevant content
- Accepted Answerasked 2 months ago
- asked 9 months ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
I currently have ACLs disabled. I thought I was only able to do that if there are no ACLs on the bucket? At Amazon S3 > Buckets > bucketname > Permissions > Access control list (ACL), I cannot edit and have the message "This bucket has the bucket owner enforced setting applied for Object Ownership When bucket owner enforced is applied, use bucket policies to control access." Is there another way an ACL can be on it? And do you have an example of the put for the bucket policy?