Known issue with Laravel, Flysystem and AWS SDK for fileExists fucntionality

[deleugpn]

• Laravel Version: v9.47.0
• PHP Version: 8.1.9

I want to report an issue I faced that unfortunately does not have any easy fix, but could help others in the future to avoid spend hours debugging.

---

Description:

The error looks like this:

League\Flysystem\UnableToCheckFileExistence Unable to check existence for ...

Steps To Reproduce:

This "bug" heavily affects exists() and append() Storage methods.

    public function testFlysystemAndAwsSDKException(): void
    {
        /** @var FilesystemManager $filesystem */
        $filesystem = $this->app->make(FilesystemManager::class);

//        $filesystem->disk('marco')->exists('this-file-exist');

        $filesystem->disk('marco')->exists('this-file-does-not-exist');
    }

This is Laravel configuration:

        'marco' => [
            'driver' => 's3',
            'region' => 'eu-west-1',
            'bucket' => 'my-test-bucket-name',

            // With List Permission
//            'key' => '---',
//            'secret' => '---',

            // With only GetObject
            'key' => '---',
            'secret' => '---',

            // Without any permission
//            'key' => '---',
//            'secret' => '---',
        ],

The Behavior of the bug:

Flysystem released last week changed the implementation of fileExists:
thephpleague/flysystem-aws-s3-v3@ea10034.

This was mostly motivated by the fact the previous behavior was broken on AWS SDK:
aws/aws-sdk-php#2445
aws/aws-sdk-php#2342

The new version has the following behavior:

User without any permission:

AWS SDK throws 403 Forbidden which gets wrapped by Flysystem on https://github.com/thephpleague/flysystem-aws-s3-v3/blob/3.x/AwsS3V3Adapter.php#L120.
This is good and expected.

User with permission to s3:getObject and s3:ListBucket:

If the file exists, AWS SDK returns true, Flysystem returns true, Laravel returns true. Good and expected.
If the file DOES NOT exists. AWS SDK returns false, Flysystem returns false, Laravel returns false. Good and expected. Source.

User with permission to s3:getObject only:

If the file exists, AWS SDK returns true, Flysystem returns true, Laravel returns true. Good and expected.
If however the file does not exist, AWS SDK throws a 403 Forbidden, Flysystem wraps that under UnableToCheckFileExistence and the exception reaches Laravel users. Unexpected.

If Laravel user uses Storage::append(), Laravel will use `fileExists() under the hood which will lead to:

• It will work fine if file exists
• it will throw exception if file does not exist instead of just creating the file.

We are unfortunately left in a sad state because the culprit is the AWS underlying API. It throws an ambiguous 403 Forbidden when user has s3:getObject but does not have s3:ListBucket. In this case, the 403 is always because the file does not exist, but we have no way to determine whether this 403 is caused by file not exist or if the user has no permission at all.

cc @frankdejonge

[driesvints]

Hi @deleugpn. Thank you for reporting this. Unfortunately it looks like there's nothing we can do atm.

[igorpereira-exata]

I've had a similar problem and it turns out the clocks between my S3 and the server were off by 20 minutes. I was getting a 403, but in fact the problem was: RequestTimeTooSkewed (client): The difference between the request time and the server's time is too large.

[neelsavaliya33]

You need to verify all permissions for particular bucket or else try to give a permission for get put for that bucket.
This solution works for me.

[and2063pro]

Same issue
PHP:8.1.5
Larave:9.52.16
aws/aws-sdk-php:3.306.6

I have downgrade "aws/aws-sdk-php" vrersion to 3.297.3

or Update php version to 8.2 and Laravel version to 10.x