Continuously getting 403 from https://gateway.storjshare.io

Yaluba · January 5, 2024, 11:08am

Working fine yesterday, but today I am getting 403 on all the requests sent to the S3 gateway.
Just to check, I created new S3 Credentials with all permissions for all buckets in my account in region EU1, but I still get “403 Forbidden” for all the request, whether to list buckets (listBuckets), check if a bucket exists (headBucket) or list objects in a bucket (listObjects).

The gateway seems to respond correctly to health checks:

curl -v https://gateway.storjshare.io/-/health

Trying 136.0.77.2:443…

Connected to gateway.storjshare.io (136.0.77.2) port 443

schannel: disabled automatic use of client certificate

ALPN: curl offers http/1.1

ALPN: server accepted http/1.1

using HTTP/1.1

GET /-/health HTTP/1.1
Host: gateway.storjshare.io
User-Agent: curl/8.4.0
Accept: /

< HTTP/1.1 200 OK
< Content-Security-Policy: block-all-mixed-content
< Vary: Origin
< X-Amz-Request-Id: 17A76DD5B07A0FD2
< X-Xss-Protection: 1; mode=block
< Date: Fri, 05 Jan 2024 10:49:08 GMT
< Content-Length: 0
<

Connection #0 to host gateway.storjshare.io left intact

Is it possible to get more info one why the GW is rejecting all my requests?

PS: I get the same result when I try aws s3 ls via the AWS CLI endpoint.

moby · January 5, 2024, 3:07pm

@Yaluba a couple questions to help me better understand what the issue could be:

can you confirm if you are able to view objects from the satellite web UI?
could you privately share your EU1 account email address with me? Either via a DM on this platform, or in an email to moby@storj.io - this will allow me to check our database to see if there is anything there which could indicate a problem

Another thing you could try is generate an access grant in the satellite UI, and try to use this with uplink, e.g. with the following steps:

uplink access import jan5accesstest <access from UI>
uplink access use jan5accesstest
uplink ls
uplink ls sj://<bucketname>

If inconvenient, do not worry about testing with Uplink. Letting me know about the object browser and providing me with your email should be sufficient to start with.

Thank you

Yaluba · January 5, 2024, 3:41pm

thanks Moby, just sent a private email.
On WEB UI, I have no proble to acces the buckets. I will try with uplink cli later today.

Alexey · January 6, 2024, 3:12am

Is it possible that you have a not valid or limited credentials in the ~/.aws directory?
Many S3-compatible tools uses them by default.
You may override them with environment variables: Environment variables to configure the AWS CLI - AWS Command Line Interface

Yaluba · January 6, 2024, 9:44am

Hello Alexey,

It solved it looking in that direction.
The creds in “~/.aws/credentials” were old and overrode the ones passed programmatically. For some reason that I could not figure out, this started happening just after I installed aws s3 cli following the Storj instructions. This created a “~/.aws/config” and the creds in different config files probably messed with each other.
Finally, it worked again when I removed all files with credentials in “~/.aws/”. Then it started using only the ones that I pass programmatically.

Alexey · January 6, 2024, 11:17am

If you installed an AWS CLI it starting to behave like this… almost all s3-compatible tools starting to look into ~/.aws/credentials instead of what is provided programmatically.
There are only two options:

remove ~/.aws/credentials
use environment variables to override settings in ~/.aws/credentials

By the way, I’m not sure that p.2 is enough for everyone used tool…