S3Storage plugin, authentication with assumeRole not working | Payload | Page 1

gleaming lagoon Feb 26, 2025, 4:41 PM

#

As title said, can’t find a way to make the assumeRole authentication work
Does anyone figured it out?

dark stirrupBOT Feb 26, 2025, 4:41 PM

#

New Community-Help Thread Created!

Help is on the way! To mark it as solved, use the /solve command. In the meantime, here are some existing threads that may help you:

Documentation:

analog fossil Feb 26, 2025, 6:25 PM

#

This is not enough information to help you out. What are you running into? What have you tried?

gleaming lagoon Feb 27, 2025, 8:47 AM

#

we add the plugin with this config s3Storage({ collections: { media: true, }, bucket: process.env.S3_BUCKET_NAME || '', config: { region: process.env.AWS_REGION || '' }, }),

It is self hosted on AWS with EKS, the pod running the app has this env variables regarding AWS

AWS_DEFAULT_REGION : eu-west-3
AWS_REGION : eu-west-3
AWS_ROLE_ARN : arn:aws:iam::***:role/rapg-dev-back-role
AWS_STS_REGIONAL_ENDPOINTS : regional
AWS_WEB_IDENTITY_TOKEN_FILE : /var/run/secrets/eks.amazonaws.com/serviceaccount/token```

#

What I tried, to check if the problem was related to a pod misconfiguration, i deployed on the same pod, with the same env variables a Next app with this script ```
import { S3 } from "@aws-sdk/client-s3";
import { fromTokenFile } from "@aws-sdk/credential-providers";

export const listS3Files = async () => {
const s3Client = new S3({
region: process.env.AWS_REGION || ''
});
const bucketName = process.env.S3_BUCKET_NAME;

const file = fs.createReadStream(process.cwd() + "/src/app/actions/test.txt");

await s3Client.putObject({
Body: file,
Bucket: bucketName,
ContentType: "text/plain",
Key: "test.txt",
});

}```

#

And this works (the dockerfile that builds the app is the same for Payload and the Next app)
So based on this test i confirmed that the pod was able to authenticate with assumeRole

#S3Storage plugin, authentication with assumeRole not working

Documentation: