Cannot move files on S3 external storage, permission denied

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 29.0.5): 29.0.7
Operating system and version (eg, Ubuntu 24.04): installatron on cloudlinux shared hosting
Apache or nginx version (eg, Apache 2.4.25): litespeed
PHP version (eg, 8.3): 8.2

The issue you are facing: I cannot move files located on S3 external storage. I can create, modify and delete.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. Create file in external storage
  2. Attempt to move it
  3. S3Exception Error executing “CopyObject”

I am using S3 from Amazon directly. I have configured permissions using IAM, however there is no distinction in the permissions profile to differentiate move from create

This is my IAM permission

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObjectTagging",
                "s3:ListBucketMultipartUploads",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersionTagging",
                "s3:ListBucketVersions",
                "s3:GetObjectAttributes",
                "s3:PutObjectVersionTagging",
                "s3:ListBucket",
                "s3:DeleteObjectVersionTagging",
                "s3:GetBucketVersioning",
                "s3:GetObjectVersionAttributes",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:PutObjectTagging",
                "s3:GetObjectVersionForReplication",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*",
                "arn:aws:s3:::mybucket"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "myserverstaticips"

                    ]
                }
            }
        }
    ]
}

The output of your Nextcloud log in Admin > Logging:

[files_external] Error: Error executing "CopyObject" on "https://mydomain.s3.mys3bucketlocation.amazonaws.com/myfilepath.pdf"; AWS HTTP error: Client error: `PUT https://mydomain.s3.mys3bucketlocation.amazonaws.com/myfilepath.pdf` resulted in a `403 Forbidden` response:
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>*****</RequestId><HostId>***** (truncated...)
 AccessDenied (client): Access Denied - <Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>*****</RequestId><HostId>*****=</HostId></Error>
	MOVE /remote.php/dav/files/myuser/myfilepath.pdf
	from myipaddress by myuser at Sep 14, 2024, 10:01:54 a.m.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '*****',
  'passwordsalt' => '*****',
  'secret' => '*****',
  'trusted_domains' => 
  array (
    0 => 'subdomain.domain.com',
    1 => 'www.sudomain.domain.com',
  ),
  'datadirectory' => '*****',
  'dbtype' => 'mysql',
  'version' => '29.0.7.1',
  'overwrite.cli.url' => 'https://subdomain.domain.com/',
  'dbname' => '*****',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'nc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '*****',
  'dbpassword' => '*****',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/home/*****/.redis/redis.sock',
    'port' => 0,
    'dbindex' => 0,
  ),
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'htaccess.RewriteBase' => '/',
  'preview_max_memory' => 2048,
  'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\XBitmap',
    5 => 'OC\\Preview\\PDF',
    6 => 'OC\\Preview\\MP3',
    7 => 'OC\\Preview\\TXT',
    8 => 'OC\\Preview\\MarkDown',
    9 => 'OC\\Preview\\HEIC',
    10 => 'OC\\Preview\\MKV',
    11 => 'OC\\Preview\\MP4',
    12 => 'OC\\Preview\\AVI',
    13 => 'OC\\Preview\\Movie',
  ),
  'preview_max_x' => '2048',
  'preview_max_y' => '2048',
  'mail_from_address' => 'info',
  'mail_domain' => '*****.com',
  'mail_smtpauth' => 1,
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtphost' => '*****',
  'mail_smtpport' => '587',
  'mail_smtpsecure' => 'tls',
  'mail_smtpname' => '*****@*****.com',
  'mail_smtppassword' => '*****',
  'maintenance' => false,
  'default_phone_region' => 'CA',
  'theme' => '',
  'log_type' => 'file',
  'logfile' => '*****.log',
  'logtimezone' => 'America/Toronto',
  'loglevel' => 2,
  'jpeg_quality' => '80',
  'session_relaxed_expiry' => false,
  'maintenance_window_start' => 1,
);

The output of your Apache/nginx/system log in /var/log/____:

myipaddress - - [14/Sep/2024:11:57:05 -0400] "MOVE /remote.php/dav/files/myuser/myfilepath.pdf HTTP/2" 403 345 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

I have an error

  • Your web server is not properly set up to resolve “/ocs-provider/”. This is most likely related to a web server configuration that was not updated to deliver this folder directly. Please compare your configuration against the shipped rewrite rules in “.htaccess” for Apache or the provided one in the documentation for Nginx. On Nginx those are typically the lines starting with “location ~” that need an update. For more details see the documentation :arrow_upper_right:.

That I can’t resolve on the dashboard. I can’t access the server config because I’m on shared hosting installed using installatron. I haven’t found a solution in the .htaccess and I don’t think this is the issue.

The issue began when my webhost server crashed for a period of 6 hours and they restarted the server. However the webhost denies any changes taking place.

The only other event that took place recently was a direct upgrade from 28.0.10 to 29.0.1 without going to 29.0.0 first, however things seem to work fine, except the photos app doesn’t show all of the photos on the external S3 bucket anymore on the all media tab, however using the folder browser within the photos app I can see everything on the external storage.

Any help or suggestions to debug would be appreciated. Now I have to copy a file from the external storage to my local machine, and then write it back to the external storage in a new location which is very inconvenient.

No suggestions ? Bump…

The 403 is coming from AWS S3 infrastructure.

Chances are it is your policy.

Are you sure your Nextcloud server’s source IP for outbound connections hasn’t changed to a different IP address?

You are correct, I re-read https://docs.aws.amazon.com/AmazonS3/latest/userguide/copy-object.html and discovered that my policy was missing s3:GetObjectTagging

Thanks for the response

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.