PeerTube S3 Migration Error - Access Denied on CreateMultipartUpload

PeerTube
1

Environment

  • PeerTube server version: 5.2.1

  • S3 Provider: OVH

  • Operation: Moving video files from filesystem to object storage

Issue Description

I’m attempting to migrate video files from local storage to S3 object storage following the official documentation: https://docs.joinpeertube.org/maintain/tools#move-video-files-from-filesystem-to-object-storage

The migration fails with an AccessDenied error during the multipart upload creation phase.

Important Note: Public videos upload successfully to S3. The issue occurs only with private videos.

Error Details

Job Information:

  • Job ID: 28646

  • Type: move-to-object-storage

  • Status: Failed

  • Processed on: 12/10/25, 5:07:07.165 PM

{« videoUUID »: « 5f7adfb9-1436-4f48-b265-f200c61b0f49 »,« isNewVideo »: false,« previousVideoState »: 8} **Error Stack Trace:** AccessDenied: Access Denied.at throwDefaultError (/app/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:8:22)at /app/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:18:39at de_CreateMultipartUploadCommandError (/app/node_modules/@aws-sdk/client-s3/dist-cjs/protocols/Aws_restXml.js:3212:12)at runMicrotasks ()at processTicksAndRejections (node:internal/process/task_queues:96:5)at async /app/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24at async /app/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:14:20at async /app/node_modules/@aws-sdk/middleware-retry/dist-cjs/retryMiddleware.js:27:46at async /app/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:7:26at async Upload.__createMultipartUpload (/app/node_modules/@aws-sdk/lib-storage/dist-cjs/Upload.js:116:45)at async Upload.__doConcurrentUpload (/app/node_modules/@aws-sdk/lib-storage/dist-cjs/Upload.js:132:21)at async Promise.all (index 0)at async Upload.__doMultipartUpload (/app/node_modules/@aws-sdk/lib-storage/dist-cjs/Upload.js:211:9)at async Upload.done (/app/node_modules/@aws-sdk/lib-storage/dist-cjs/Upload.js:39:16)

Scenarios Tested:

Scenario 1: With OVH ACLs enabled

  • Tested with ACL: public-read

  • Tested with ACL: private

  • Result: AccessDenied error on CreateMultipartUpload

Scenario 2: With ACLs disabled

  • Bucket configured without ACL support

  • Result: AccessDenied error on CreateMultipartUpload

Observations

  • :white_check_mark: Public videos: Upload successfully to S3

  • :cross_mark: Private videos: Fail with AccessDenied during CreateMultipartUpload

Question

The error occurs specifically during the CreateMultipartUpload operation for private videos only. Both ACL-enabled and ACL-disabled configurations fail with the same error. What are the differences in permissions/ACL handling between public and private videos in PeerTube’s S3 implementation? Is there specific OVH S3 configuration needed for private video uploads?

2

And what’s the output of get-bucket-acl s3 api command?

FYI we use OVH S3 without problem on a peertube instance, so it should work :thinking:

You can also try to check s3 access logs

4

Below is the current ACL configuration of the S3 bucket:
{
« Owner »: {
« DisplayName »: « 5693723588257613:75985a5a8c034e4ba2e5e3bee9ef5d44 »,
« ID »: « 5693723588257613:75985a5a8c034e4ba2e5e3bee9ef5d44 »
},
« Grants »: [
{
« Grantee »: {
« Type »: « Group »,
« URI »: « http://acs.amazonaws.com/groups/global/AllUsers »
},
« Permission »: « READ »
},
{
« Grantee »: {
« DisplayName »: « 5693723588257613:75985a5a8c034e4ba2e5e3bee9ef5d44 »,
« ID »: « 5693723588257613:75985a5a8c034e4ba2e5e3bee9ef5d44 »,
« Type »: « CanonicalUser »
},
« Permission »: « FULL_CONTROL »
}
]
}

Also, could you confirm: on your configuration, do you use ACL?

5

the policy: {"Statement":[{"Action":["s3:*"],"Effect":"Allow","Resource":["arn:aws:s3:::xxxxxxxxxx","arn:aws:s3:::xxxxxxxxxx/*"]}]}