Uppy with companion upload to s3, the file is 403 when try to access it from backend

The problem:
Cannot download file in backend from cloudfront or s3 after uploading it with uppy, but only for Instagram uploads


  • Manual upload
  • Instagram

It works for Manual Upload
It doesn’t work for Instagram

Companion code:

      providerOptions: {
        instagram: {
          key: process.env.instagram_basic_display_appId,
          secret: process.env.instagram_basic_display_appSecret,
      s3: {
        getKey: (req: any, filename: string) => `${ Date.now() }-${ filename }`,
        key: process.env.AWS_ACCESS_KEY_ID,
        secret: process.env.AWS_SECRET_ACCESS_KEY,
        bucket: "BUCKET_NAME",
        region: "us-east-1",
        expires: 30000,
        acl: "public-read",
      server: {
        host: process.env.companion_server_host,
        protocol: "https",
      debug: false,
      filePath: ".",
      uploadUrls: [/^http:\/\/comain.com\//, /^http:\/\/localhost\//, /^https:\/\/app-dev.domain.com\//, /^https:\/\/BUCKET_NAME.amazonaws.com\//, /^https:\/\/amazonaws.com\//, /^https:\/\/s3.us-east-1.amazonaws.com\//],
      secret: process.env.companion_secret,
      streamingUpload: true,
      allowLocalUrls: true,
      maxFileSize: 100000000,
      periodicPingInterval: 60000,
      periodicPingStaticPayload: {static: "payload"},

Both manual and instagram uploads are through companion.

Any ideas why it doesn’t work for inta?

Have you tried without ACLs? and disable ACL on your bucket

Yes, the companion default ACL is “private”. Now it’s not accessible at all :slight_smile:

which verison of companion are you running? in newer versions of companion, the default acl is no longer set: uppy/migration-guides.md at main · transloadit/uppy · GitHub

what is your bucket’s acl configuration?

The uppy companion version is 4.20

The ACL:

i mean this:

I need a bucket policy to make it work, right?

Anyway, it cannot be done by removing ACL from bucket.

Any thoughts why objects have different permissions for manual upload and instagram upload with the same settings?

Yes, can I see your bucket policy?

You can try this policy:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "Stmt1405592139000",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [

Manual upload works differently from instagram, that’s probably why. They run different code.