Uppy with companion upload to s3, the file is 403 when try to access it from backend

Uppy
1

The problem:
Cannot download file in backend from cloudfront or s3 after uploading it with uppy, but only for Instagram uploads

Providers:

  • Manual upload
  • Instagram

It works for Manual Upload
It doesn’t work for Instagram

Companion code:

{
      providerOptions: {
        instagram: {
          key: process.env.instagram_basic_display_appId,
          secret: process.env.instagram_basic_display_appSecret,
        },
      },
      s3: {
        getKey: (req: any, filename: string) => `${ Date.now() }-${ filename }`,
        key: process.env.AWS_ACCESS_KEY_ID,
        secret: process.env.AWS_SECRET_ACCESS_KEY,
        bucket: "BUCKET_NAME",
        region: "us-east-1",
        expires: 30000,
        acl: "public-read",
      },
      server: {
        host: process.env.companion_server_host,
        protocol: "https",
        path:uppyCompanionUrl,
      },
      debug: false,
      filePath: ".",
      uploadUrls: [/^http:\/\/comain.com\//, /^http:\/\/localhost\//, /^https:\/\/app-dev.domain.com\//, /^https:\/\/BUCKET_NAME.amazonaws.com\//, /^https:\/\/amazonaws.com\//, /^https:\/\/s3.us-east-1.amazonaws.com\//],
      secret: process.env.companion_secret,
      corsOrigins:corsWhiteList,
      streamingUpload: true,
      allowLocalUrls: true,
      maxFileSize: 100000000,
      periodicPingInterval: 60000,
      periodicPingStaticPayload: {static: "payload"},
    }

Both manual and instagram uploads are through companion.

Any ideas why it doesn’t work for inta?

2

Have you tried without ACLs? and disable ACL on your bucket

3

Yes, the companion default ACL is “private”. Now it’s not accessible at all :slight_smile:

4

which verison of companion are you running? in newer versions of companion, the default acl is no longer set: uppy/migration-guides.md at main · transloadit/uppy · GitHub

what is your bucket’s acl configuration?

5

The uppy companion version is 4.20

The ACL:

Screenshot 2023-02-08 at 11.49.29
Screenshot 2023-02-08 at 11.49.291327×591 47.5 KB

6

i mean this:

Screenshot 2023-02-08 at 17.59.47
Screenshot 2023-02-08 at 17.59.471548×736 69.1 KB

7

I need a bucket policy to make it work, right?

8

Anyway, it cannot be done by removing ACL from bucket.

Any thoughts why objects have different permissions for manual upload and instagram upload with the same settings?

9

Yes, can I see your bucket policy?

You can try this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1405592139000",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::bucketname/*",
                "arn:aws:s3:::bucketname"
            ]
        }
    ]
}

Manual upload works differently from instagram, that’s probably why. They run different code.