getting "The bucket does not allow ACLs" Error

Question

This is my bucket policy

{
    "Version" : "2012-10-17",
    "ID" : "************",
    "Statement" : [
        {
            "Sid" : "************",
            "Effect" : "Allow",
            "Principar" : "*",
            "Action" : [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl"
            ],
            "Resource" : "************************"
        }
    ]
}

---

{ "Version" : "2012-10-17", "ID" : "", "Statement" : [ { "Sid" : "", "Effect" : "Allow", "Principar" : "", "Action" : [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl" ], "Resource" : "***********************" } ] }

and here's the code I used to upload image:

    [HttpPost]
    public bool UploadFile(string file)
    {
        var s3Client = new AmazonS3Client(accesskey, secretkey, RegionEndpoint.APSoutheast1);

        var fileTransferUtility = new TransferUtility(s3Client);
            if (file.Length > 0)
            {
                var filePath = file;
                var fileTransferUtilityRequest = new TransferUtilityUploadRequest
                {
                    BucketName = bucketName,
                    FilePath = filePath,
                    StorageClass = S3StorageClass.StandardInfrequentAccess,
                    PartSize = 6291456, // 6 MB.  
                    Key = keyName,
                    CannedACL = S3CannedACL.PublicRead
                };
                fileTransferUtilityRequest.Metadata.Add("param1", "Value1");
                fileTransferUtilityRequest.Metadata.Add("param2", "Value2");
                fileTransferUtility.Upload(fileTransferUtilityRequest);
                fileTransferUtility.Dispose();
            }
        return true;
    }

and getting "The bucket does not allow ACLs" even setting it to "ACLs enabled" in object ownership

Answer 1

We're uploading some files to a shared bucket and couldn't change ACL settings. The only thing that worked for us is to add next to the s3 config:

'options' => [
       'ACL' => ''
]

So then s3 config looks like:

's3' => [
       'driver' => 's3',
       'key' => env('AWS_ACCESS_KEY_ID'),
       'secret' => env('AWS_SECRET_ACCESS_KEY'),
       'region' => env('AWS_DEFAULT_REGION'),
       'bucket' => env('AWS_BUCKET'),
       'url' => env('AWS_URL'),
       'endpoint' => env('AWS_ENDPOINT'),
       'options' => [
           'ACL' => '',
       ],
]

Answer 2

@Rutger 's answer is correct, and now it's 2022, aws console has changed ( not a lot ,but some what ), so let me show the images:

0.go to your s3 bucket page, almost all the operations are in this page (2024.8) :

1.assume you have created the s3 bucket, in the list page,

2.don't toggle the "block" options

3.find the ownership, then click edit.

4.edit the object owner ship (ACLs enabled)

5.now the edit button for ACL is clickable.

6.toggle the permissions you want and save changes.

it's done, now you can upload images to s3 via commandline and then visit them in your browser:

-------------------- I am a split line ----

7. if you found the existing resources are still not accessable, please manually change their visible setting, click the files, then objects -> actions -> make public using ACL, shown as below:

8. click button: make public:

9. wait for a second, when you see the result:

10. pick a file to view:

Answer 3

With kudus to @siwei, if you want to enable uploads with ACL to S3 using the AWS command line tool, this is how to do this from the command line:

(line breaks were added for clarity and are optional, but it should also work fine as shown)

$ aws s3api put-public-access-block --bucket MY_BUCKET \
  --public-access-block-configuration 'BlockPublicAcls=false,
    IgnorePublicAcls=false,
    BlockPublicPolicy=false,
    RestrictPublicBuckets=false'

$ aws s3api put-bucket-ownership-controls --bucket MY_BUCKET \
  --ownership-controls 'Rules=[{ObjectOwnership="BucketOwnerPreferred"}]'

This is indeed needlessly cumbersome and the AWS CLI is usually much much better.

It seems that this complicated syntax was purposefully created to make it as hard as possible for S3 users to upload publicly accessible objects.

Answer 4

We had a similar problem with the ACL restriction from php in Laravel.

We have an IAM user with the correct permissions. I set this up in my local user with aws configure --profile dev-s3-write. I can now write to the bucket using aws cli s3 sync local s3://<bucket> --profile dev-s3-write

Providing the same credentials to the php environment which is running inside Laravel gave

... AccessControlListNotSupported (client): The bucket does not allow ACLs ...

The above solution from @Siwei worked, but I want to get rid of ACL's, and use bucket policies properly.

If you have ACLs set up as above, the bucket policy has no effect, so may as well not be there.

After a lot of reading and checking with AWS the solution was this:

Bucket policy must contain (see my example at the bottom)

                ...
                "s3:PutObjectAcl",
                "s3:GetObjectAcl",
                ...

In the code our upload command was this

$isStore = Storage::disk(env('CLOUD_STORAGE_DISK'))->put($filePath, file_get_contents($file), 'public');,

the public caused the problem. Changing this to private and this works e.g. good code

$isStore = Storage::disk(env('CLOUD_STORAGE_DISK'))->put($filePath, file_get_contents($file), 'private');

The explanation (I’m no IAM/Policy expert) is that when the user tries to upload an object to a bucket as "public" they are trying to impose an ACL upon it hence the error. Setting this to private means that the file is privately owned, but will adhere to the bucket policy e.g. public read only.

my policy is now:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowOwnerReadDeleteWrite",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<your-account-id>:user/<dedicated-s3-user>"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:RestoreObject",
                "s3:ListBucketVersions",
                "s3:ListMultipartUploadParts",
                "s3:GetObjectAttributes",
                "s3:GetObjectVersion",
                "s3:PutObjectAcl",
                "s3:GetObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket>/*",
                "arn:aws:s3:::<bucket>"
            ]
        },
        {
            "Sid": "AllowWorldRead",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket>/*"
        }
    ]
}

I hope this helps.

Answer 5

You should be able to go to the AWS S3 console and navigate to the bucket details for the bucket you try to write objects to. You'll see a tab called 'Permissions'. There you have the option to change the "Object Ownership" at a block with te same title.

Once there, you can choose the option "ACLs enabled".

After applying those changes, you should be able to write objects with ACL options.