Unable to Edit Theme in Canvas using S3 storage

[Iván García]

Hello,

I have a Canvas installed and running on Ubuntu 20.04 and configured with S3 storage instead of local. Installed on June 9 with the latest version of that day.

Uploading files to courses, etc. works great, but when I try to create a Template or modify it adding a new image the Preview fails with an error message (500 Internal Server Error in the log) and the production.log shows the following: (debug enabled)

/usr/lib/ruby/vendor_ruby/phusion_passenger/utils.rb:113:in `block in create_thread_and_abort_on_exception''', 'Access Denied', 1, '2021-06-25 21:46:05.801834', '2021-06-25 21:46:05.801834', 'mye...@domain.com', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36', 'post', 'a3e38ea3-5828-4a24-8008-649d25001f7e', 1, '---

type:

response_code: 500

request_id: a3e38ea3-5828-4a24-8008-649d25001f7e

session_id: 29584541e27408ed25891412256a6b15

meta_headers: o=brand_configs;n=create;t=Account;i=2;

format: !ruby/object:Mime::Type

 synonyms:

 - text/x-json

 - application/jsonrequest

 symbol: :json

 string: application/json

 hash: -1173916991200071566

HTTP_ACCEPT: application/json, text/javascript, application/json+canvas-string-ids,

 */*; q=0.01

HTTP_ACCEPT_ENCODING: gzip, deflate, br

HTTP_HOST: mycanvas.domain.com

HTTP_REFERER: https://mycanvas.domain.com/accounts/site_admin/theme_editor

HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,

 like Gecko) Chrome/91.0.4472.114 Safari/537.36

PATH_INFO: "/accounts/2/brand_configs"

QUERY_STRING: "?"

REQUEST_METHOD: POST

REQUEST_URI: https://mycanvas.domain.com/accounts/2/brand_configs

SERVER_NAME: mycanvas.domain.com

SERVER_PORT: ''80''

SERVER_PROTOCOL: HTTP/1.1

REMOTE_ADDR: 181.209.150.181

path_parameters: ''{:controller=>"brand_configs", :action=>"create", :account_id=>"2"}''

query_parameters: "{}"

request_parameters: ''{"brand_config"=>{"variables"=>{"ic-brand-primary"=>"#E66135",

 "ic-link-color"=>"#4A90E2", "ic-brand-button--primary-bgd"=>"#4A90E2", "ic-brand-global-nav-bgd"=>"#4A90E2",

 "ic-brand-global-nav-logo-bgd"=>"#3B73B4", "ic-brand-watermark"=>#<ActionDispatch::Http::UploadedFile:0x00005595c3fb1388

 @tempfile=#<Tempfile:/tmp/RackMultipart20210625-4379-8g1b1.png>, @original_filename="Rayman

 Legends 24_10_2020 10_00_10.png", @content_type="image/png", @headers="Content-Disposition:

 form-data; name=\"brand_config[variables][ic-brand-watermark]\"; filename=\"Rayman

 Legends 24_10_2020 10_00_10.png\"\r\nContent-Type: image/png\r\n">}}, "js_overrides"=>"",

 "css_overrides"=>"", "mobile_js_overrides"=>"", "mobile_css_overrides"=>""}''

exception_message: Access Denied

hostname: ip-10-0-16-232

pid: 4379

', 'Aws::S3::Errors::AccessDenied') RETURNING "id"^[[0m  [production:1 primary]

[29584541e27408ed25891412256a6b15 a3e38ea3-5828-4a24-8008-649d25001f7e]   ^[[1m^[[36mSQL  (5.1ms)^[[0m  ^[[1m^[[35mCOMMIT^[[0m  [production:1 primary]

[29584541e27408ed25891412256a6b15 a3e38ea3-5828-4a24-8008-649d25001f7e] Created ErrorReport ID 10000000000045

[29584541e27408ed25891412256a6b15 a3e38ea3-5828-4a24-8008-649d25001f7e]

[CANVAS_ERRORS] EXCEPTION LOG

Aws::S3::Errors::AccessDenied (Access Denied):

  /var/canvas/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.109.2/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call'

-----

I have checked the IAM user, permissions to S3, the S3 Bucket policy, the CORS configuration and with every test I made them more permissive, but the error keeps showing.

Any suggestion? Maybe the Theme editor is broken? Although I can edit colors and stuff.

Kind Regards.

[Iván García]

A small bump here.

I still cannot figure out why is not working the Theme Preview, all other file actions with S3 are working fine.

Kind Regards.

[mcannon83]

I recall running into this as well and I think the 2 things that fixed it were: 

1.  Allow the action "s3:PutObjectAcl" on your bucket resource in the IAM user policy that is accessing the s3 bucket

2. Turn off "Block all public access" to the bucket in the s3 bucket's permissions (you might be able to just uncheck the options related to the ACLs here, I haven't tested).

There's a thread on Github that goes into details troubleshooting this issue, but I think the most relevant comment is here: 

https://github.com/instructure/canvas-lms/issues/1908#issuecomment-924449579

[Iván García]

Hello,

Yes, that's the way to fix it, the comment you mention is mine, glad to see that it helps.

Kind Regards.