electron-builder: S3 Provider fails to upload

  • Version: 18.3.0
  • Electron-Updater: 2.0.0
  • Target: OSX/Windows

I’m using the S3 provider. I can confirm my ENV vars are set properly by successfully uploading via the command line using the aws tool. However, when I go to publish I get:

Error: Cannot cleanup:

Error #1 --------------------------------------------------------------------------------
AccessDenied: Access Denied
    at Request.extractError (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/services/s3.js:539:35)
    at Request.callListeners (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/request.js:682:14)
    at Request.transition (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/request.js:684:12)
    at Request.callListeners (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
    at Request.emit (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/request.js:682:14)
    at Request.transition (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/request.js:684:12)
    at Request.callListeners (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
    at callNextListener (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/sequential_executor.js:95:12)
    at IncomingMessage.onEnd (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/event_listeners.js:256:13)
    at emitNone (events.js:91:20)
    at IncomingMessage.emit (events.js:188:7)
From previous event:
    at Request.promise (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/node_modules/aws-sdk/lib/request.js:776:12)
    at /Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/src/uploader.ts:86:153
    at Timeout.tryRun [as _onTimeout] (/Users/bhilkert/Dropbox/code/bark-desktop/node_modules/electron-publisher-s3/src/uploader.ts:198:9)
    at ontimeout (timers.js:386:14)
    at tryOnTimeout (timers.js:250:5)
    at Timer.listOnTimeout (timers.js:214:5)

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 27 (3 by maintainers)

Commits related to this issue

Most upvoted comments

@dsagal and @develar that’s what we ended up with after trailing the CloudTrail logs for the requests issued by the electron-builder:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAppS3Releases",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::release-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                "arn:aws:s3:::release-bucket"
            ]
        }
    ]
}

notice the *ObjectAcl actions that we need to allow: that’s because the electron-build adds a header "x-amz-acl": "public-read" with each upload - trying to mark every object as publicly readable. I am going to open another issue #1822 to ask the developers to make that optional, since one can also achieve the same effect with appropriately crafted S3 bucket policy.

+31
romanrev on Jul 12, 2017

I needed s3:GetBucketLocation as well.

+16
jacob-qurika on Apr 27, 2018

Reopened — question “Can you confirm the minimal permissions for the S3 provider?” is not answered, we must do something smart to save user’s time.

+15
develar on Jun 11, 2017

To everyone coming from the docs who is as stupid as I am:

You have to change your bucket-name in these permissions …

+14
emilbruckner on Jan 17, 2018

I was able to get this working for a private bucket after setting ACL to ‘private’:

 "publish": {    
      "provider": "s3",    
      "bucket": "bucket-name",    
      "region": "us-east-2",    
      "acl": "private"    
    }
+8
laurenschroeder on May 1, 2020

Thanks for the policy guide! I wanted to add that apart from setting I also had to uncheck the Block new public ACLs and uploading public objects (Recommended) option in the Permissions tab for it to let me upload, otherwise I kept on getting Access Denied.

screenshot 2018-11-27 at 20 28 18

EDIT: I also had to uncheck the second option Remove public access granted through public ACLs (Recommended) otherwise the app wasn’t able to look for updates.

+6
dariocravero on Nov 27, 2018

@mlynch you have two options

  1. use * and allow everyone access to your bucket (not recommended)
  2. create an iam user and use it’s AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

Then add the user to the policy. I named my iam user ci_server

"Sid": "Stmt123456789",
"Effect": "Allow",
"Principal": {
    "AWS": "arn:aws:iam::1234567890:user/ci_server"
 },

walkthrough: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

+2
JM-Mendez on Oct 19, 2018

Thanks for the policy example! What do you all use for your Principal fields? Can’t create a bucket policy without it and it seems like the two entries should have different values for that field.

+2
mlynch on Oct 19, 2018

I was able to get this working for a private bucket after setting ACL to ‘private’:

 "publish": {    
      "provider": "s3",    
      "bucket": "bucket-name",    
      "region": "us-east-2",    
      "acl": "private"    
    }

This worked for me, thanks!

+1
MajesticMug on Jan 12, 2023

@erikjalevik this is how I did it. Are you sure you’re calling setFeedUrl and not getFeedUrl? The latter is the one that’s deprecated according to the source code

https://github.com/electron-userland/electron-builder/blob/2c674df1333ae0e594ef99c9012d81cc8ddfa30d/packages/electron-updater/src/AppUpdater.ts#L183-L185

https://github.com/electron-userland/electron-builder/blob/2c674df1333ae0e594ef99c9012d81cc8ddfa30d/packages/electron-updater/src/AppUpdater.ts#L191-L205

+1
JM-Mendez on Feb 8, 2019

You’re welcome 😃.

Yeah you’ll get way better download performance since your app will be distributed across the edge network, and will be much closer to your users.

One thing to keep in mind – distributing to cloudfront is not immediate. I’ve seen an average of 20-30 min for full availability. So if you want to test publishing, use minio server like the guide suggests. The cloudfront url is static, so it doesn’t affect publishing.

+1
JM-Mendez on Oct 19, 2018

@mlynch If you want to give users direct access to your bucket, then yeah, you’d need to set up those two levels of access. But I recommend using cloudfront.

The data transfer pricing is cheaper than having users download directly from s3. And when you set up cloudfront, it’ll ask to add a policy to the bucket for you.

Here are some articles that led me to this conclusion:

https://medium.com/devopslinks/this-is-how-i-reduced-my-cloudfront-bills-by-80-a7b0dfb24128

https://www.expatsoftware.com/articles/2009/01/cloudfront-costs-compared-to-s3.html

+1
JM-Mendez on Oct 19, 2018

@romanrev Thanks (official docs: http://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html)

+1
develar on Jul 12, 2017

In case this helps anyone, I had a similar symptom that was caused by using a non-default AWS profile. The aws tool uses AWS_DEFAULT_PROFILE variable, but the SDK ignores it and uses only AWS_PROFILE. If you use a non-default profile, you need to set the latter one. (See also here.)

+1
dsagal on Jul 12, 2017
Read more comments on GitHub
← electron-builder: Resources from static/media are not resolvable after package
electron-builder: S3 won't upload app files →