Page MenuHomePhabricator

Upgrading: Amazon S3 Configuration Changes
Closed, ResolvedPublic

Description

AWS introduced a new signing process ("v4") for requests some time ago, and no longer accepts older signatures ("v2") in some datacenters. We have updated Phabricator to use the newer v4 signature method. Installs that use S3 are impacted by this change, and will need to update two configuration settings. Once the configuration is updated, service will resume normally.

Installs that use blob storage (the default), local disk, or another storage engine are not impacted and can ignore this change.

The new AWS signature method requires an explicit region specification, so the new amazon-s3.region setting is now mandatory. Additionally, the amazon-s3.endpoint setting has become mandatory. Although we could sometimes guess the correct endpoint, endpoint names are irregular in the general case and AWS may introduce new, irregularly named endpoints in the future, so trying to guess our way through this seemed dicey.

After upgrading, you will receive a setup warning about a partially configured S3 integration if you have some keys set but are missing some required keys. To resolve this, configure amazon-s3.region and amazon-s3.endpoint. Once they are configured, everything should work correctly again.

You can find a list of regions and endpoints here, in the AWS documentation:

http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region

Likely, the actual change will look something like this:

phabricator/ $ ./bin/config set amazon-s3.region us-west-1
phabricator/ $ ./bin/config set amazon-s3.endpoint s3-us-west-1.amazonaws.com

The correct values may vary for your setup (consult the AWS documentation table), and you may already have amazon-s3.endpoint configured correctly.

You can find some additional discussion in T5155 and T7163.