0

I am doing a direct to S3 upload, and I have the presigned post declared like this:

@s3_direct_post = S3_BUCKET.presigned_post(key: "images/#{SecureRandom.uuid}/${filename}", success_action_status: '201', acl: 'public-read', allow_any: ['utf8', 'authenticity_token'])

When in the development environment, it builds everything correctly and I get something like this:

{"key"=>"images/1be59d13-9d65-4d70-b631-93834409f361/${filename}", "success_action_status"=>"201", "acl"=>"public-read", "policy"=>"<BASE_64_POLICY>", "x-amz-credential"=>"<MY_ACCESS_KEY>/20180505/us-east-1/s3/aws4_request", "x-amz-algorithm"=>"AWS4-HMAC-SHA256", "x-amz-date"=>"20180505T232823Z", "x-amz-signature"=>"<AMZ_SIGNATURE>"}

But after I push it to Heroku, I get something like this:

{"key"=>"images/1be59d13-9d65-4d70-b631-93834409f361/${filename}", "success_action_status"=>"201", "acl"=>"public-read", "policy"=>"<BASE_64_POLICY>", "x-amz-credential"=>"/20180505/us-east-1/s3/aws4_request", "x-amz-algorithm"=>"AWS4-HMAC-SHA256", "x-amz-date"=>"20180505T232823Z", "x-amz-signature"=>"<AMZ_SIGNATURE>"}

Now that my Access Key (AKID) is no longer there, I get this error:

<Error><Code>InvalidArgument</Code><Message>a non-empty Access Key (AKID) must be provided in the credential.</Message><ArgumentName>X-Amz-Credential</ArgumentName><ArgumentValue>/20180505/us-east-1/s3/aws4_request</ArgumentValue><RequestId>%REQUESTID%</RequestId><HostId>%HOSTID%</HostId></Error>

My AWS credentials are declared in initalizers/aws.rb, so they are not dependent on the environment type. What could possibly be causing this?

Edit (showing how I declare the S3_BUCKET is a constant I initialize in aws.rb):

Aws.config.update({ region: 'us-east-1', credentials: Aws::Credentials.new(ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']) })

S3_BUCKET = Aws::S3::Resource.new.bucket(ENV['S3_BUCKET'])

Also, the difference between the two presigned-post objects:

"x-amz-credential"=>"<MY_ACCESS_KEY>/20180505/us-east-1/s3/aws4_request"

"x-amz-credential"=>"/20180505/us-east-1/s3/aws4_request"

Vincent Taglia
  • 173
  • 1
  • 3
  • 12

1 Answers1

2

You should not commit your credentials in your git repository so you should make sure in your initializer:

in config/initializers/credentials.rb

AWS_ACCESS_KEY_ID = ENV['AWS_ACCESS_KEY_ID']
AWS_SECRET_ACCESS_KEY = ENV['AWS_SECRET_ACCESS_KEY']

And use heroku-cli to configure your credentials on your app

heroku config:set AWS_ACCESS_KEY_ID=someLongHashKey AWS_SECRET_ACCESS_KEY=anotherLongHashKey --app my_app_name
# see heroku config --help

But your error may have to do with AWS SDK Presigned Post Ruby

and see https://docs.aws.amazon.com/sdkforruby/api/Aws/S3/PresignedPost.html

If that doesn't help, post how you're defining Aws::S3::PresignedPost.new

Finally, double check to make sure you've set your environment variables correctly in heroku

heroku config --app my_app_name #use your actual app name of course
lacostenycoder
  • 10,623
  • 4
  • 31
  • 48
  • Thanks for the reply. I just updated OP to show how I declare S3_BUCKET using environment variables, but the issue is `Aws::S3::PresignedPost.new` giving me different answers in development and production when the environment variables are the same. The first line of code in OP is how I define `Aws::S3::PresignedPost.new`, using the S3_BUCKET constant I defined in aws.rb. Development gives me a correct presigned-post, and production gives me a presigned-post without an access key at the beginning of x-amz-credential. I can't find any documentation about why this would happen. – Vincent Taglia May 06 '18 at 17:03
  • are you sure you've set the environment variables in Heroku? if you type this in the command line `heroku config --app my_app_name` it should output all of your environment variables. Make sure those are set correctly and don't contain any typos. – lacostenycoder May 06 '18 at 18:32
  • 1
    _**sigh**_ It was a typo in my heroku environment variable. I thought I had double checked that but apparently not well enough. Thanks for the help! – Vincent Taglia May 06 '18 at 18:53