S3 Uploader component cannot S3 files if the bucket does not allow ACLs

S3 now recommends disabling ACLs and to instead creating bucket policies. However, this does not grok with Retool's S3 Uploader component, which insists on specifying an ACL upon upload. Even setting the ACL policy to the empty string fails.

Workaround is to either:

  • Not use the S3 Uploader component
  • Or allow ACLs in the bucket

Hey @elijahcarrel!

What's the specific error you're running into when trying to upload with the S3 component?

Doing a bit of testing I'm able to upload to a bucket that has ACLs disabled through the bucket owner enforced setting. Curious to know more about your S3 setup and whether or not you're able to upload via an S3 query as well.

Hey @Kabirdas, thank you so much for such a quick reply! That's great to hear— I'm curious what I'm doing wrong! Here's what I tried:

(1) Under the advanced settings in the S3 upload component, I specified public-read as the acl as indicated in these settings:

When I tested it, this produced an error in Retool "Error uploading file. Check console logs for more details.". Oddly I could not see anything in the Retool console. But when I inspected the Chrome network request and copied it over to Postman (because Chrome even more oddly evicted the error message in the response from the Chrome cache) I could finally see the error message. It was:

<?xml version="1.0" encoding="UTF-8"?>
    <Message>The bucket does not allow ACLs</Message>

And this makes sense. Looking at the headers in the cURL request, I see retool was indeed passing x-amz-acl=public-read in the headers like I specified.

  1. It seemed like the next most straightforward thing to do was to remove this header. So, under the advanced settings in the S3 upload component, I specified `` (empty string) as the ACL, per these settings:

However, upon testing it, this too produced an "Error uploading file. Check console logs for more details." error. Inspecting the network requests in Chrome once again revealed that Retool never even made it to the point where it would upload to S3. Instead, it just sent a POST request to the Retool API at https://<my-retool-domain>.retool.com/api/sign_s3_upload with a payload that included, among other things, an acl value which was set to `` (empty string), and this POST request failed with a 400 code and the response {"error":true,"message":"no ACL given"}.

Here I'm at a loss. I'm not sure what else to try besides re-enabling ACLs on my S3 bucket (which I tried and it does work!). Thanks for any help you can provide!

Ahh I see, the ACL defaults to private which seems to work but it looks like bucket-owner-full-control is a better option here and aligns with these docs. Let me know if that works for you as well!

I'll put in a request with the dev team to have the need for specifying an ACL removed and report back here if it is!

That worked— thanks so much!

As of 2.122.0 ACLs should no longer be required! :tada:

1 Like

Thank you so much for so promptly fixing the source of my confusion (even if there was a workaround) and for looping back to let me know! Appreciate the good work y'all do!