colinmeinke/ghost-storage-adapter-s3

Does this work for Ghost 3?

sudo8com opened this issue ยท 16 comments

I am getting access denied when connected to S3 and CloudFront

Error ID:
ghost_1 | ba4e8df0-3e9d-11eb-875f-3bf6d4f677d6
ghost_1 |
ghost_1 | Error Code:
ghost_1 | AccessDenied
ghost_1 |
ghost_1 | ----------------------------------------
ghost_1 |
ghost_1 | InternalServerError: Access Denied
ghost_1 | at new GhostError (/var/lib/ghost/versions/3.40.1/node_modules/@tryghost/errors/lib/errors.js:10:26)
ghost_1 | at _private.prepareError (/var/lib/ghost/versions/3.40.1/core/server/web/shared/middlewares/error-handler.js:53:19)
ghost_1 | at Layer.handle_error (/var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/layer.js:71:5)
ghost_1 | at trim_prefix (/var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/index.js:315:13)
ghost_1 | at /var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/index.js:284:7
ghost_1 | at Function.process_params (/var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/index.js:335:12)
ghost_1 | at next (/var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/index.js:275:10)
ghost_1 | at Layer.handle_error (/var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/layer.js:67:12)
ghost_1 | at trim_prefix (/var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/index.js:315:13)
ghost_1 | at /var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/index.js:284:7
ghost_1 | at Function.process_params (/var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/index.js:335:12)
ghost_1 | at next (/var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/index.js:275:10)
ghost_1 | at /var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/index.js:635:15
ghost_1 | at next (/var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/index.js:260:14)
ghost_1 | at next (/var/lib/ghost/versions/3.40.1/node_modules/express/lib/router/route.js:127:14)
ghost_1 | at /var/lib/ghost/versions/3.40.1/core/server/api/shared/http.js:124:17
ghost_1 |
ghost_1 | AccessDenied: Access Denied
ghost_1 | at Request.extractError (/var/lib/ghost/node_modules/aws-sdk/lib/services/s3.js:700:35)
ghost_1 | at Request.callListeners (/var/lib/ghost/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
ghost_1 | at Request.emit (/var/lib/ghost/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
ghost_1 | at Request.emit (/var/lib/ghost/node_modules/aws-sdk/lib/request.js:688:14)
ghost_1 | at Request.transition (/var/lib/ghost/node_modules/aws-sdk/lib/request.js:22:10)
ghost_1 | at AcceptorStateMachine.runTo (/var/lib/ghost/node_modules/aws-sdk/lib/state_machine.js:14:12)
ghost_1 | at /var/lib/ghost/node_modules/aws-sdk/lib/state_machine.js:26:10
ghost_1 | at Request. (/var/lib/ghost/node_modules/aws-sdk/lib/request.js:38:9)
ghost_1 | at Request. (/var/lib/ghost/node_modules/aws-sdk/lib/request.js:690:12)
ghost_1 | at Request.callListeners (/var/lib/ghost/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
ghost_1 | at Request.emit (/var/lib/ghost/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
ghost_1 | at Request.emit (/var/lib/ghost/node_modules/aws-sdk/lib/request.js:688:14)
ghost_1 | at Request.transition (/var/lib/ghost/node_modules/aws-sdk/lib/request.js:22:10)
ghost_1 | at AcceptorStateMachine.runTo (/var/lib/ghost/node_modules/aws-sdk/lib/state_machine.js:14:12)
ghost_1 | at /var/lib/ghost/node_modules/aws-sdk/lib/state_machine.js:26:10
ghost_1 | at Request. (/var/lib/ghost/node_modules/aws-sdk/lib/request.js:38:9)

iozz commented

Same for me.

Can anyone from the dev team confirm if this works for Ghost 3? Or is there another compatible repo?

same here

It's funny how the official Ghost docs mention this and it's so out of date... ๐Ÿคฏ

iamtk commented

I've had this working using the latest version of Ghost v3 (edit: 3.40.5), although I'm using Digital Ocean's spaces S3 compatible object storage.

I was able to use it with ghost 3.40.5. It was my fault, I'm new with ghost and I was trying to use it in docker environment with a minIO s3. It wasn't clear to me how and where to install it from the docs. I adapted the steps from https://github.com/robincsamuel/ghost-google-drive and it worked.

is there going to be any updates or anyway I can integrate ghost with s3 & cloudfront?

I was able to get this to work with Ghost version 3.41.6. I have S3 bucket setup as an origin to CloudFront + custom SSL. I turned on CloudTrail Data Event on S3 bucket and got access logs and found out that when I uploaded image. It made two calls.

  1. GetObject to check if image exists. This call returns NoSuchKey error if it is a new image.
  2. PutObject to upload image. This call set x-amz-acl header to public-read and it returned AccessDenied error.

So, I set the acl to private in config.production.json file and it works!

My bucket setup

  • Static Website hosting: Disabled
  • Block all public access

Bucket policy (added via CloudFront)

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [xxxx]"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::[bucket]/*"
        }
    ]
}

My config.production.json

...
"storage": {
    "active": "s3",
    "s3": {
      "accessKeyId": "[key]",
      "secretAccessKey": "[secret]",
      "region": "[region]",
      "bucket": "[bucket]",
      "assetHost": "https://[subdomain].example.com", // cloudfront
      "forcePathStyle": true,
      "acl": "private"
    }
  }
...

Hope this help.

@colinmeinke This worked for me. It would be great if we can add some more details in the documentation about what acl does please?

Was able to make it work with latest version as well. I am using helm to deploy and manually add the adapter files.

Helm chart version: 13.0.14
Ghost-CLI version: 1.17.3
Ghost version: 4.7.0

It worked for me too, as @booleanhunter said, it would be nice to add more detail about this in the documentation

i'm using the bitnami ghost stack, with stack version = "4.44.0-0", not working for me, after modifying the config file, ghost does not even start.

It's funny how the official Ghost docs mention this and it's so out of date... ๐Ÿคฏ

it works, but you gotta do some modifications.

It's funny how the official Ghost docs mention this and it's so out of date... ๐Ÿคฏ

Ghost has exploded as an organization and is going through some growing pains (IMO). It is definitely insane that a repo that hasn't seen a commit in 6 years is linked by their own docs. The other thing they link is IN READ ONLY MODE. woops. Good luck bringing this to anyones attention it's pretty hard to tell where you can actually affect change on this kind of thing. I brought some pretty obvious best practices to one of their theme repos about a year ago and got ignored and auto closed by their bot.

it works, but you gotta do some modifications.

Hey buddy, you should fork and publish these changes. This is a pretty critical plugin to get dropped.

Sure, will share them in a couple of days.

Fantastic. Let me know and i'll test it out.