WordPress.org

Forums

s2Member Framework (Member Roles, Capabilities, Membership, PayPal Members)
Issues with Amazon S3 / Digitally signed URLs (32 posts)

  1. ed_monger-rue
    Member
    Posted 1 year ago #

    I'm having some issues with using Amazon S3 storage. After entering the bucket details and providing Access Key and the Access Secret Key I tested with http://dev.local/?s2member_file_download=test.txt and I that returned was a blank screen.

    I created a IAM user, s2Member, and gave them read only permissions. Are IAM user support with s2Member? Do you have any other suggestions on what I might look at?

    EMR

    https://wordpress.org/plugins/s2member/

  2. JasWSInc
    Member
    Plugin Author

    Posted 1 year ago #

    > I created a IAM user, s2Member, and gave them read only permissions.

    You will want to give s2Member (i.e. your site, which is running the s2Member app) a less restrictive set of permissions. For instance, s2Member (i.e. the IAM user associated with your site) needs the ability to alter permissions through digitally signed URLs that allow folks to gain access. Therefore, if s2Member only has read access this might create a problem.

  3. ed_monger-rue
    Member
    Posted 1 year ago #

    Hi Jason,

    Thank you for the reply. Alas, no joy.

    I went so far as to create a new user, s2Member_S3, and only placing that user in the Admin group. Changed the keys stored within s2M config.

    Is there a way to validate this within the plugin WUI?

    EMR

  4. Cristian Lavaque
    Member
    Plugin Contributor

    Posted 1 year ago #

    Try resetting the s2Member integration as described in this article: http://www.s2member.com/kb/reset-the-amazon-s3-cloudfront-integration/

    And then configure the integration again.

    Let me know if that helps. :)

  5. JasWSInc
    Member
    Plugin Author

    Posted 1 year ago #

    > Is there a way to validate this within the plugin WUI?

    If the key/secret are invalid when you attempt to download a file protected by s2Member; i.e. ?s2member_file_download=example.zip you should get an error message from the AWS side of things; e.g. invalid access key or similar.

    You reported that there was a white screen, no error, no nothing? If that's the case you might want to run our server scanner to be sure there's not something missing from your current hosting environment that s2Member depends on. Please see: https://www.s2member.com/kb/server-scanner/

  6. ed_monger-rue
    Member
    Posted 1 year ago #

    @JasWSInc: All green checkboxes. Mail checked out too.
    @anguz: I didn't reset as per the instructions but I did create a new Cloudfront key pair that caused the old one to be replaced.

    Now, I'm getting the following message:

    This XML file does not appear to have any style information associated with it. The document tree is shown below.
    <Error>
    AccessDenied
    <Message>Access denied</Message>
    </Error>

    The URL is now being written to point to cloudfront.net

    Let me know If you'd still recommend that I reset the Amazon S3 / CloudFront config.

  7. ed_monger-rue
    Member
    Posted 1 year ago #

    To confirm the IAM user for s2Member is a member of the "PowerUserAccess" policy.

    Also, I've checked the perms on the bucket and looks OK.

    Do you have any suggestions? Reset s2M's S3 config?

  8. JasWSInc
    Member
    Plugin Author

    Posted 1 year ago #

    Do you have any suggestions? Reset s2M's S3 config?

    Yes, a reset would be my next suggestion also. It sounds like at least one portion of your integration is still denied access in some way.

  9. JasWSInc
    Member
    Plugin Author

    Posted 1 year ago #

    You might also want to test with your root key/secret just to be sure it's not something other than the user that you've selected. If the problems still shows up with the default root key/secret for your AWS account; please let us know about that too.

  10. ed_monger-rue
    Member
    Posted 1 year ago #

    Yes, a reset would be my next suggestion also. It sounds like at least one portion of your integration is still denied access in some way.

    Alas, this had no impacted.

    You might also want to test with your root key/secret just to be sure it's not something other than the user that you've selected. If the problems still shows up with the default root key/secret for your AWS account; please let us know about that too.

    I had to create a new root cert, but this too had no effect. The http://dev.local/?s2member_file_download=test.txt URL is still returning the access denied message.

    Other content is being served from Amazon S3/CDN without issue. I switched the s2M credentials for S3/CDN to the credentials used for non-member CDN and received the same access denied message.

  11. ed_monger-rue
    Member
    Posted 1 year ago #

    I removed the configuration details for Amazon S3/CloudFront and the s2member_file_download=test.txt worked!

    I then added the configuration details back and attempted to delete the distribution and recreate it. I received an error message stating that access was denied from the Amazon distribution. I manually disabled it and will try recreating it.

  12. ed_monger-rue
    Member
    Posted 1 year ago #

    OK! A few more attempts...

    1. Reset all Amazon S3/CDN/CloudFront configurations within s2M
    2. I created a new bucket with a different name.
    3. Copied the contents of the "old" bucket to the new bucket.
    4. Deleted my test file and created a new test file with in the new bucket. I don't think "file permissions" should be an issue but why the heck not nothing else seems to be working.
    5. Re-watched Video tutorials on setting up Amazon S3/CDN and Amazon S3/CloudFront.
    6. Added Amazon S3/CDN configuration pointing to the new bucket.
    7. Tested getting test file with s2member_file_download. Worked flawlessly!
    8. Added Amazon S3/CloudFront configuration, this time I added DNS cnames for files and streaming.
    9. Tested getting test file with s2member_file_download. Fail! Same error message as before (below). The new cname was used in the URL -- I tested the cloudfront.net domain name as well:

    This XML file does not appear to have any style information associated with it. The document tree is shown below.
    <Error>
    AccessDenied
    <Message>Access denied</Message>
    </Error>

    Any thoughts on what I should try next?

  13. JasWSInc
    Member
    Plugin Author

    Posted 1 year ago #

    I'm opening a bug report for this so it can be investigated further.
    https://github.com/WebSharks/s2member/issues/173

    ~ I'll update you here as soon we've been able to reproduce it; or if we need more information to confirm the bug. Thanks for the step-by-step.

  14. JasWSInc
    Member
    Plugin Author

    Posted 1 year ago #

    This issue was investigated at GitHub and some further details were provided. Please see: https://github.com/WebSharks/s2member/issues/173#issuecomment-44248141

    In short, I was unable to reproduce the issue. Please check the details I provided at GitHub. If I missed something that is required to reproduce the bug please let me know at GitHub. Thanks!

  15. ed_monger-rue
    Member
    Posted 1 year ago #

    This issue was investigated at GitHub and some further details were provided. Please see: https://github.com/WebSharks/s2member/issues/173#issuecomment-44248141

    I configured s2Member with my S3 Bucket; using a root Access/Secret Key. Success.

    I was using a IAM account within s2M to access the Amazon S3 bucket. Also, I created a new CloudFront key pair for this test.

    Adding CNAMEs didn't cause the issue... as a side note there were not CNAMEs previously. Alas, the issue still persists.

    The issue persisted using a new bucket as well as creating new "users" and keys. Do you have any addition suggestions? Without a lot of reporting / logs it hard to narrow down the issue further.

  16. ed_monger-rue
    Member
    Posted 1 year ago #

    Also, there doesn't appear to be any issue access the bucket without the use of CloudFront.

    W3 Total Cache is also using Amazon S3 without issue.

  17. ed_monger-rue
    Member
    Posted 1 year ago #

    And! Sorry...

    I re-downloaded the latest s2M plugin and replaced what was on the server. Just for good measure.

  18. JasWSInc
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks for the feedback. I'm adding a note here about IAM so this can be retested shortly. See: https://github.com/WebSharks/s2member/issues/173#issuecomment-44387014

  19. JasWSInc
    Member
    Plugin Author

    Posted 1 year ago #

    This issue at GitHub has been updated. Please take a look when you get a moment. Thanks! See: https://github.com/WebSharks/s2member/issues/173#issuecomment-44518844

  20. jhall_3rd
    Member
    Posted 6 months ago #

    any updates on this -- seeing similar issue.

  21. JasWSInc
    Member
    Plugin Author

    Posted 6 months ago #

    @jhall_3rd The investigation here turned up nothing useful I'm afraid. https://github.com/WebSharks/s2member/issues/173#issuecomment-44518844

    What is the issue that you are having exactly? If you can add steps to reproduce here, that'd be great! :-) https://github.com/WebSharks/s2member/issues/173#issuecomment-44518844

  22. jhall_3rd
    Member
    Posted 6 months ago #

    have been online with amazon support for 2 days trying to find out why s2m is restricting ip that is requesting a s3/cf file.

  23. jhall_3rd
    Member
    Posted 6 months ago #

    We decoded the Policy s2m used to sign the URL and found that it is using the server's IP in the AWS:SourceIP

    This is causing an access denied when accessing the signed URL since the IP won't match.

    For ex upon decoding the signature associated with a file download we get this:
    {"Statement":[{"Resource":"http://d3od88nicba67t.cloudfront.net/SD-os-gringos-parte-1-DOWN-SD.mp4","Condition":{"IpAddress":{"AWS:SourceIp":"207.210.203.168/32"},"DateLessThan":{"AWS:EpochTime":1424884195}}}]}

  24. jhall_3rd
    Member
    Posted 6 months ago #

    207.210.203.168 is the IP of the server and not the client

  25. jhall_3rd
    Member
    Posted 6 months ago #

    Filed a trouble ticket in s2m just now.

  26. JasWSInc
    Member
    Plugin Author

    Posted 6 months ago #

    207.210.203.168 is the IP of the server and not the client

    If you run the following test, what does it produce?

    <?php echo $_SERVER['REMOTE_ADDR']; ?>

  27. jhall_3rd
    Member
    Posted 6 months ago #

    207.210.203.168

  28. JasWSInc
    Member
    Plugin Author

    Posted 6 months ago #

    I see, thank you. So the issue is that your server environment is reporting an incorrect value in this variable. <?php echo $_SERVER['REMOTE_ADDR']; ?> should report the client's IP address, and <?php echo $_SERVER['SERVER_ADDR']; ?> should report the server's IP address. It appears that this might be reversed on your hosting platform.

  29. JasWSInc
    Member
    Plugin Author

    Posted 6 months ago #

    You might want to run the s2Member Server Scan tool. It can help you diagnose things like this. See: http://www.s2member.com/kb/server-scanner/

  30. jhall_3rd
    Member
    Posted 6 months ago #

    but this gave me MY IP:

    <?php echo $_SERVER['HTTP_X_FORWARDED_FOR']; ?>

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic