"ERROR: S3 Service API: Access Denied" when using PHP 5.3 or 5.4

Resolved Alamoxie Web Design
(@alamoxie)

9 years, 12 months ago

I was surprised when I configured one site with BackWPup the same way I had a dozen or so times in the past. (Note: I use HostGator.) I made an Amazon S3 bucket just for that site, “backup.mysite.com”. I made an IAMs user with the same name, with a policy only granting it access (yes, including list and upload permissions) to that one bucket. I plugged in the Amazon S3 info to BackWPup and… Access Denied. I double-checked everything. I triple-checked everything. Exactly like I used for my other sites. Then I tried using Amazon S3 info from my other sites that were running regular BackWPup backups. Nothing worked.

Then I went into CPanel > PHP Configuration and changed the PHP handler to “default system handler (5.2)”. It worked! The difference between this site and the others was that I had to use a higher PHP version to get another plugin to work (completely reasonable, given that PHP 5.2 has been obsolete since 2011).

I spent two hours with tech support, trying to convince them the problem was on their end, with PHP configuration. Eventually they did some of their own testing and said this:

This morning I copied the site and data to a new server that had PHP 5.4 as the default handler, and after quite a bit of testing I can now give you my findings.

1) Using PHP 5.4.26 as the default handler fails at the S3 connection attempt.
2) Using PHP 5.3.28 fails at the S3 connection attempt.
3) Using PHP 5.2.17 always works.
4) Changing the backup method to Folder instead of S3 works for any PHP version. Attached is a screenshot showing the backup log when PHP was set to 5.4.26 and the backup type set to Folder.

At this point, since I’ve confirmed that it is not isolated to the PHP configuration on the reseller server, and I’ve also confirmed that the plugin works for any PHP version when the backup type is set to Folder, I must direct you to the plugin developer for trouble-shooting further as it appears there is a bug in the plugin code for the S3 connection when using PHP 5.3.28 or 5.4.26. Unfortunately, the logs do not contain enough detail to see exactly why the S3 connection code is failing when using a PHP version higher than 5.2.17. In the meantime, the Folder method can definitely be used.

I apologize that I wasn’t able to find a configuration that worked using the S3 backup method with this plugin. If you need any additional information when contacting the plugin developer about this, just let us know.

If this is a more widespread problem, could you tell me when a fix is expected to be released?
If, for some reason, other people run BackWPup Amazon S3 backups just fine using PHP 5.3 or higher, can you tell me perhaps what bit of PHP configuration is the culprit in my case, what we can fix on the host end to get the plugin running?

https://wordpress.org/plugins/backwpup/

Viewing 7 replies - 1 through 7 (of 7 total)

Plugin Author Daniel Hüsken
(@danielhuesken)

9 years, 12 months ago

BackWPup uses to different AWS SDKs. One for PHP Versions lower than 5.3 and on vor PHP Version higer than 5.3. THe SDK that works with PHP 5.2 is the old one from Amazon that will be not longer developed.

Can you send me the policy that you uses and the logfiles from the test to d dot huesken at inpsyde dot com . Than i will test it again.
Plugin Author Daniel Hüsken
(@danielhuesken)

9 years, 12 months ago
I have send you a buckt police with mail that shuld work. Here the police for other useres with this problem. ListAllMyBuckets is not needed to working. It is only for displayinig Buckt selection else you can enter the bucket name.
```
{
  "Statement": [
   {
     "Action": "s3:ListAllMyBuckets",
     "Effect": "Allow",
     "Resource": "arn:aws:s3:::*"
   },
    {
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Effect": "Allow",
      "Resource": [ "arn:aws:s3:::dhdev", "arn:aws:s3:::dhdev/*" ]
    }
  ]
}
```
Thread Starter Alamoxie Web Design
(@alamoxie)

9 years, 12 months ago

Thanks for the great support, Daniel! The new policy (replacing both instances of “dhdev” with my specific bucket name) works on PHP 5.4 and 5.2. The old Amazon S3 IAMS policy worked just fine–until the server used anything higher than PHP 5.2. Now I have a solution for my sites, and hopefully the information here will be of use to others in the future. Thanks again!

Ken Cook
(@kencook)

9 years, 5 months ago

Using the bucket policy provided by Daniel I get the following:

Statement is missing required element - Statement "NO_ID-0" is missing "Principal" element

I just migrated to PHP 5.4 – didn’t have this problem. May be time to get more familiar with the inner workings of S3.

rob69
(@rob69)

9 years, 4 months ago

Hi
I followed this post and I am using PHP 5.5.17. I have used the policy above but I get the error Ken is having:
<blockquote>Statement is missing required element - Statement "NO_ID-0" is missing "Principal" element</blockquote>`

I have also tried to create a policy directly in Amazon but no luck. Any pointer?

Ken Cook
(@kencook)

9 years, 4 months ago

Unfortunately I had to find another plugin for time constraints. I hope Daniel gets it all straightened out because I did use the plugin for quite some time with great results. Last week I switched to UpdraftPlus. But, Daniel when you get the issues resolved let us know. Thanks!

Thread Starter Alamoxie Web Design
(@alamoxie)

9 years, 4 months ago

I can’t be sure of the exact problem you are having, but here’s something to try.

http://mobile.awsblog.com/post/Tx1OSMBRHZVM9V0/Understanding-Amazon-Cognito-Authentication-Part-3-Roles-and-Policies suggests “Access policies don’t require Principal elements, it sounds like you may have been entering this as a trust policy, not as an access policy.”