AWS s3 Permissions modified on move


#1

Hi

I’m having issues with lucee modifying permissions of objects in s3

We use an external service (filestack) to upload files into a temp folder in s3

Our service then moves these files into specific folders via cffile (and renames them).

Files uploaded into the temp folder in s3 have the correct permissions (as in they are only accessible via signed urls) however once the file is moved (via cffile) the permissions of the object gets changed to public (all users: read)

The following settings have been defined in our application.cfc :

this.s3.acl = 'private'
this.tag.file.acl='private'
this.tag.directory.acl='private'

we’ve also attempted to use the following after the move operation;

var updatedPermissions = [{group="all", permission="private"}];
StoreSetACL(s3FileObj, updatedPermissions);

But private is not a valid option (according the the error output)

If anyone can point me in the general direction of a solution or a clear method of setting an object in s3 to be accessible only via a signed URL, it would be greatly appreciated.

Cheers


#2

Im not sure what you are attempting to do with the file, but the folder itself has a permission that is inherited by the object you put in it.

You could just set the folder to private at the command line

s3cmd setacl --acl-private --recursive s3://aws-foo-bucket/somedirectory/

You can achieve that with a cfexecute, or a bash or powershell script.


#3

Hi Terry, and thanks for your reply.

The parent object does have the correct permission (we did check before making this post)

We’ve also discovered that lucee v4.x modified permissions of object in s3 (default to public, regardless of application settings) whenever said objects were accessed / modified via cffile and cfdirectory.

Is was addressed at some point after version 5, we’ve confirmed this by creating a vm with v5 installed on it and running the same code.

This case can be considered solved