S3 as CDN error

I’ve been trying to get this up and running.
Using Setting up Amazon S3 as a CDN as a start. as well as

I’ve setup the bucket. and a user with ALL S3 permissions.
Added a bucket policy to make it public.
Added a CORS conf (this was really for the plugin, which I have started to look at yet)

When I go to upload a file or an image (or file), it uploads successfully to the bucket (makes all the folder too) but seems to fail on the return. So the content item never gets created.
I’m running with Lucee and FC 7.2.12 I’ve updated the fapi.cfc,cdn.cfc,file.cfc,s3.cfc,local.cfc,image.cfc from the 7.2 branch.

From the error it looks like ACL error??.
Anyway just wondering if anyone recognises this before I spend hours working out how it works.

My guess is that the ACL settings you have on the CDN location is invalid in some way. What config do you have for the location?

1 Like

Hi Blair,
You’re right.
OK I’ve found the issue but I can’t work out why.

It’s failing because I’d added my email address as an admins. This is my email attached to my aws account.
I can’t send an empty admins value because of the check in farcry (S3.cfc validateConfig())
If I remove the admin the process fails because it wants a ‘x-amz-grant-full-control’ key.

My work around is to add <cfset stAMZHeaders[“x-amz-grant-full-control”] =""> around line 1100 in S3.cfc and remove the admins property completely from the application.fc.lib.cdn.setLocation().

Funny thing is, if I hard code my email eg emailAddress="xxx@xxx.com" into the line above it works.
I’ve tried some tests to see if its the listAppend of if I made the process and arrayAppend and then an arrayToList. They all fail.
I’ve added some logging to look at the stAMZHeaders[“x-amz-grant-full-control”] after it loops through the arguments.config.admins and I can’t see any difference in the end result. So, weird.

Is anyone using this on Linux Lucee 5.2 and having no issues?

I’ve checked one of our apps that uses admins and found:

admins = [{ id=“asdfasdfasdfasdfasdfasdf”, displayName=“asdfasdf” }]

I can’t find an example where we’ve set the ACL using an email address. In truth, specifying specific user access isn’t something we do very often. We prefer to control object access with IAM policies on the user or the user’s group.

Could it be an encoding issue, where different values are being logged the same way?


You should be able to omit the admins argument, AFAIK we don’t use it in most apps.

Thanks guys. I think I have it sussed.
Don’t use the email option.
The ID needs to be the canonical id of your account.
and the the error I had with excluding admins must have been caused by my own logging code. :sweat:

1 Like