v2.0.0-rc.3 - s3 uploaded files unreachable with non-full s3 permission #787

New Issue

OVERLORD · 2026-02-04T21:20:55+03:00

OVERLORD commented

2026-02-04 21:20:55 +03:00

Originally created by @ADeeeee on GitHub (Aug 20, 2025).

Where is the problem occurring?

I encountered the problem while interacting with the server (Backend)

What browsers are you seeing the problem on?

Chrome

Current behavior

Picture uploaded to MinIO (object storage) successfully from the kanban, but showing blank with 404 not found.

{"code":"E_NOT_FOUND","message":"File attachment not found"}

# The URI in browser
/attachments/1581121808629761038/download/site_logo.png

# The actual file path on MinIO which was uploaded successfully
/private/attachments/1581121807816066061/site_logo.png

# The origin file path in container is EMPTY
/app/private/attachments

Desired behavior

The file path should be matched and load it correctly with 200 response

Steps to reproduce

upload files on the kanban and then see blanks.

Other information

It's behind a nginx and traefik and it should be a problem because the web functions seem to be okay.

TRUST_PROXY=true
LOG_LEVEL=info

# No errors
2025-08-20 07:45:52 [I] Initializing custom hook (`current-user`)
2025-08-20 07:45:52 [I] Initializing custom hook (`file-manager`)
2025-08-20 07:45:52 [I] Initializing custom hook (`oidc`)
2025-08-20 07:45:52 [I] Initializing custom hook (`query-methods`)
2025-08-20 07:45:52 [I] Initializing custom hook (`s3`)
2025-08-20 07:45:52 [I] Initializing custom hook (`watcher`)
2025-08-20 07:46:12 [I] Initializing OIDC client

Originally created by @ADeeeee on GitHub (Aug 20, 2025). ### Where is the problem occurring? I encountered the problem while interacting with the server (Backend) ### What browsers are you seeing the problem on? Chrome ### Current behavior Picture uploaded to MinIO (object storage) successfully from the kanban, but showing blank with 404 not found. `{"code":"E_NOT_FOUND","message":"File attachment not found"}` ``` # The URI in browser /attachments/1581121808629761038/download/site_logo.png # The actual file path on MinIO which was uploaded successfully /private/attachments/1581121807816066061/site_logo.png # The origin file path in container is EMPTY /app/private/attachments ``` ### Desired behavior The file path should be matched and load it correctly with 200 response ### Steps to reproduce upload files on the kanban and then see blanks. <img width="659" height="413" alt="Image" src="https://github.com/user-attachments/assets/d5bfc891-33bf-474f-a838-b4c882b86905" /> ### Other information It's behind a nginx and traefik and it should be a problem because the web functions seem to be okay. TRUST_PROXY=true LOG_LEVEL=info ``` # No errors 2025-08-20 07:45:52 [I] Initializing custom hook (`current-user`) 2025-08-20 07:45:52 [I] Initializing custom hook (`file-manager`) 2025-08-20 07:45:52 [I] Initializing custom hook (`oidc`) 2025-08-20 07:45:52 [I] Initializing custom hook (`query-methods`) 2025-08-20 07:45:52 [I] Initializing custom hook (`s3`) 2025-08-20 07:45:52 [I] Initializing custom hook (`watcher`) 2025-08-20 07:46:12 [I] Initializing OIDC client ```

OVERLORD closed this issue

2026-02-04 21:20:59 +03:00

OVERLORD commented

2026-02-04 21:21:03 +03:00

@ADeeeee commented on GitHub (Aug 20, 2025):

Pardon me that I just found that it's just the permission issue on the object storage. Is there any documents about what s3 permissions planka needs?

@ADeeeee commented on GitHub (Aug 20, 2025): Pardon me that I just found that it's just the permission issue on the object storage. Is there any documents about what s3 permissions planka needs?

OVERLORD commented

2026-02-04 21:21:06 +03:00

@meltyshev commented on GitHub (Aug 20, 2025):

Hey! When I was testing, I used this config:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::planka/public/*"
            ]
        }
    ]
}

But this is basically about exposing public access to the /public path.

Also, for MinIO (if I remember correctly), you need to uncomment the S3_FORCE_PATH_STYLE=true environment variable - it didn't work for me without it.

@meltyshev commented on GitHub (Aug 20, 2025): Hey! When I was testing, I used this config: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::planka/public/*" ] } ] } ``` But this is basically about exposing public access to the `/public` path. Also, for MinIO (if I remember correctly), you need to uncomment the `S3_FORCE_PATH_STYLE=true` environment variable - it didn't work for me without it.

OVERLORD commented

2026-02-04 21:21:09 +03:00

@ADeeeee commented on GitHub (Aug 20, 2025):

I've got these permission and it seems only works for uploading files.

Got 404 file not found while reading cards and 403 AccessDenied responsed by MinIO for deleting the card forever.

It works like a charm with "s3:*".

    "s3:DeleteObject",
    "s3:PutObject",
    "s3:GetObject"
    "s3:GetBucketLocation",
    "s3:ListBucket"

@ADeeeee commented on GitHub (Aug 20, 2025): I've got these permission and it seems only works for uploading files. Got 404 file not found while reading cards and 403 AccessDenied responsed by MinIO for deleting the card forever. It works like a charm with `"s3:*"`. ``` "s3:DeleteObject", "s3:PutObject", "s3:GetObject" "s3:GetBucketLocation", "s3:ListBucket" ```

OVERLORD commented

2026-02-04 21:21:12 +03:00

@meltyshev commented on GitHub (Aug 20, 2025):

Are you using the latest MinIO version? I can try to test it on my side.

@meltyshev commented on GitHub (Aug 20, 2025): Are you using the latest MinIO version? I can try to test it on my side.

OVERLORD commented

2026-02-04 21:21:17 +03:00

@ADeeeee commented on GitHub (Aug 20, 2025):

Unfortunately an old version: 2024-02-14T21:36:02Z. Uncomfortable to upgrade due to huge production data storing so far.

It should probably be most capabale with the latest version or S3.

@ADeeeee commented on GitHub (Aug 20, 2025): Unfortunately an old version: `2024-02-14T21:36:02Z`. Uncomfortable to upgrade due to huge production data storing so far. It should probably be most capabale with the latest version or S3.

OVERLORD commented

2026-02-04 21:21:23 +03:00

@meltyshev commented on GitHub (Aug 20, 2025):

I just tested with my 2024-11-07T00-52-20Z version and it works fine. Here's the configuration I used:

S3_ENDPOINT=http://localhost:9000
S3_ACCESS_KEY_ID=[hidden]
S3_SECRET_ACCESS_KEY=[hidden]
S3_BUCKET=planka
S3_FORCE_PATH_STYLE=true

@meltyshev commented on GitHub (Aug 20, 2025): I just tested with my `2024-11-07T00-52-20Z` version and it works fine. Here's the configuration I used: ``` S3_ENDPOINT=http://localhost:9000 S3_ACCESS_KEY_ID=[hidden] S3_SECRET_ACCESS_KEY=[hidden] S3_BUCKET=planka S3_FORCE_PATH_STYLE=true ```

OVERLORD commented

2026-02-04 21:21:26 +03:00

@ADeeeee commented on GitHub (Aug 20, 2025):

I just tested with my 2024-11-07T00-52-20Z version and it works fine. Here's the configuration I used:
S3_ENDPOINT=http://localhost:9000
S3_ACCESS_KEY_ID=[hidden]
S3_SECRET_ACCESS_KEY=[hidden]
S3_BUCKET=planka
S3_FORCE_PATH_STYLE=true

Yes, it also works with permission s3:* on MinIO here. Just wondering any permissions from the actions of planka missing below:

"s3:DeleteObject"
"s3:PutObject"
"s3:GetObject"
"s3:GetBucketLocation"
"s3:ListBucket"

It looks like already enough for file arrangement by adding, deleting, listing.

@ADeeeee commented on GitHub (Aug 20, 2025): > I just tested with my `2024-11-07T00-52-20Z` version and it works fine. Here's the configuration I used: > ``` > S3_ENDPOINT=http://localhost:9000 > S3_ACCESS_KEY_ID=[hidden] > S3_SECRET_ACCESS_KEY=[hidden] > S3_BUCKET=planka > S3_FORCE_PATH_STYLE=true > ``` Yes, it also works with permission `s3:*` on MinIO here. Just wondering any permissions from the actions of planka missing below: ``` "s3:DeleteObject" "s3:PutObject" "s3:GetObject" "s3:GetBucketLocation" "s3:ListBucket" ``` It looks like already enough for file arrangement by adding, deleting, listing.

OVERLORD commented

2026-02-04 21:21:29 +03:00

@meltyshev commented on GitHub (Aug 20, 2025):

To be honest, I'm not very familiar with S3 permissions, so it's hard to say for sure, but you might need to add s3:GetObjectAcl (just a guess). I'll try to add more logging to the S3 manager to show the exact error.

@meltyshev commented on GitHub (Aug 20, 2025): To be honest, I'm not very familiar with S3 permissions, so it's hard to say for sure, but you might need to add `s3:GetObjectAcl` (just a guess). I'll try to add more logging to the S3 manager to show the exact error.

OVERLORD commented

2026-02-04 21:21:32 +03:00

@ADeeeee commented on GitHub (Aug 21, 2025):

To be honest, I'm not very familiar with S3 permissions, so it's hard to say for sure, but you might need to add s3:GetObjectAcl (just a guess). I'll try to add more logging to the S3 manager to show the exact error.

It'd be great because there are too many permission in s3. I'll keep the full permission currently.

Thanks for your helping.

@ADeeeee commented on GitHub (Aug 21, 2025): > To be honest, I'm not very familiar with S3 permissions, so it's hard to say for sure, but you might need to add `s3:GetObjectAcl` (just a guess). I'll try to add more logging to the S3 manager to show the exact error. It'd be great because there are too many permission in s3. I'll keep the full permission currently. Thanks for your helping.

OVERLORD referenced this issue

2026-02-04 21:50:09 +03:00

[PR #787] [MERGED] feat: add PROJECT_CREATE_ALLOW_ALL environment variable #1101

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#787