Amazon S3 requests fail with org.apache.commons.vfs.FileSystemException

Report · Jun 07, 2013

I'm attempting to use cffile to retrieve an item from AWS S3 using CF's Using Amazon S3 Storage examples. I have tried this on 2 systems:

CF 9,0,1,274733, Windows 2008 R2, IIS 7.5
CF 10,0,10,284825, Windows 2008 R2, IIS 7.5

The file I am trying to retrieve is web-accessible at http://osric-com.s3-website-us-east-1.amazonaws.com/alpha.txt and permissions are set to open for everyone.

Here's the initial code I tried:

<cffile action="read" file="s3://osric-com/alpha.txt" variable="result">
<cfdump var="#result#">

This returned the following error:

An error occurred when performing a file operation create on file s3://osric-com/alpha.txt.
The cause of this exception was: org.apache.commons.vfs.FileSystemException: Unknown message with code "S3 Error Message."..

As a second attempt, I tried adding an Application.cfc to that directory and specifying the access key ID, the secret key, and location/region:

<cfcomponent>
          <cfscript> 
                    this.name ="Object Operations"; 
                    this.s3.accessKeyId = "XXXXXXXXXXXXXXXXXXXXXXXX"; 
                    this.s3.awsSecretKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; 
                    this.s3.defaultLocation="US"; 
          </cfscript> 
</cfcomponent>

Same error message. I'm not sure what I'm doing wrong.

Report · Jun 07, 2013

1. Try removing the defaultLocation param

2. In my last project awsSecretKey ended up in forward slash – ‘/’.

HTH.

Report · Jun 07, 2013

I removed the defaultLocation param. No change.
I verified my awsSecretKey -- no slash. Is there an issue if a slash is present, or is the trailing slash just something users may be likely to leave out if they aren't careful?

I successfully used Amazon's REST API, which worked fine without any credentials:

Seems odd that the latter would work but not the former.

Report · Jun 07, 2013

In the stack trace, this message appears:

Caused by: org.jets3t.service.S3ServiceException: S3 Error Message. GET '/' on Host 's3.amazonaws.com' @ 'Fri, 07 Jun 2013 17:10:46 GMT' -- ResponseCode: 403, ResponseStatus: Forbidden, XML Error Message: <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>XXXXXXXXXXXXXXXXX</RequestId><HostId>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</HostId></Error>

I'm not sure why it is requesting '/' on s3.amazonaws.com, unless that is a preliminary step to requesting the specified file from the specified bucket.

Report · Jun 13, 2014

I expect the IAM user you are using doesn't have the correct set of S3 permissions.

Report · Jun 13, 2014

In our case we've ruled that out as being the issue.

As I mentioned, the IAM user can read/write from the S3 bucket without issue when the credentials are manually appended to the bucket name. It appears that, for whatever reason, CF is not properly including the S3 credentials that we are defining in the application when file/directory actions are called.

Report · Jun 13, 2014

Did you try restarting CF between tests ? I've seen it cache the security associated with an IAM user, even after it's changed in teh AWS console.

Report · Jun 13, 2014

Yes, unfortunately.

We tried restarting CF/IIS, flushing caches, renaming the application, writing to a different bucket, and creating a new bucket with completely open read/write permissions.

Report · Jun 13, 2014

Wow ! That does sound like everything !

Report · Jun 12, 2014

Sorry; can't help you. Just wanted to say we're experiencing what appears to be the same issue.

Here's the setup: CF 10,0,12,286680, Windows 2008 R2, IIS 7.5

In our case, the issue is complicated by the fact that we have another application on the same server that is reading/writing from Amazon without issue. Their setups are virtually identical; basically only the names are different.

In the problematic application, no matter what changes we make, we get the error: "The AWS Access Key Id you provided does not exist in our records."

The key is definitely correct; it works when entered into the other application and when manually appended before the bucket name (i.e. s3://myID:myKey@myBucket/).

It looks like that's going to be our solution; updating the app to include the s3 credentials in the cffile read/write actions.

For the record, we tried restarting CF/IIS, renaming the application, writing to a different bucket, and creating a new bucket with completely open read/write permissions.

Report · Oct 09, 2015

I had the same problem and I think it has to do with the app name (THIS.name) but I'm not sure why. I tried a bunch of different names, some threw the error, some did not. THIS.name = 'test' produced the error but THIS.name = 'fred' didn't. Hopefully someone can take a peak under CF's hood and figure out what's going on.

Amazon S3 requests fail with org.apache.commons.vfs.FileSystemException

An error occurred when performing a file operation create on file s3://osric-com/alpha.txt.

Photos