How to Make Zenko CloudServer Buckets Public (The Host CLI Method)

If you are self-hosting Zenko CloudServer (S3-compatible storage) using Docker, you will likely encounter an AccessDenied XML error when trying to view your files invia a browser. This is because S3 buckets are private by default.

While ~~you~~it ~~can~~is ~~try~~possible to configure this inside the container, I have learnt that the most efficient method is to run the AWS CLI directly from ~~your~~the VPS host, pointing it at the ~~container's~~specific ~~exposed~~port ~~port.~~mapped to the container.

The Problem

You upload a file (e.g., via S3Drive or a script), but when you visit the public URL, you ~~see~~receive this error:

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
...
</Error>

The Solution: Host-Based AWS CLI

Instead of installing temporary tools inside the Docker ~~container (which is temporary and messy),~~container, we will use the AWS CLI installed on the host server to(the ~~push~~VPS aitself). ~~"Public~~We ~~Read"~~will ~~policy~~bypass the Nginx reverse proxy and speak directly to the ~~specific~~container's ~~bucket.~~"Host Port" to apply the permissions.

Prerequisites

Root access to ~~your~~the ~~VPS.~~VPS (obulou.org).
Zenko CloudServer running in Docker.
aws-cli installed on the host system (apt install awscli or apk add aws-cli).

Step 1: FindConfirm Yourthe Container'sHost Port

~~First, identify which port your Zenko container~~It is ~~currently~~crucial ~~listening~~to ~~on.~~distinguish Itbetween ~~might~~the beInternal ~~a static port~~Port (~~like~~ 8000) orand athe ~~random~~Host ~~dynamic port if you didn't pin it.~~Port.

Run this ~~command:~~command to check your mapping:

docker ps | grep zenko

~~Look for~~Understanding the ~~port~~Output: ~~mapping:~~You will likely see: 0.0.0.0:59573->8000/tcp.

~~this~~

8000 ~~example,~~(Internal): This is hardcoded inside the ~~host~~Zenko ~~port~~software. The container always thinks it is listening on 8000.

59573. We(Host): ~~will~~This ~~use~~is ~~this~~the toport ~~talk~~we manually pinned in our Docker Compose setup. It is the "doorway" on the VPS that leads to the container.

Key Takeaway: When running administration commands from the VPS terminal, we always use the Host Port (59573), not the internal one.

Step 2: Disable "Block Public Access"

~~Before~~Zenko ~~applying~~often ablocks ~~policy,~~public wepolicies by default. We must ~~ensure~~disable ~~Zenko~~this ~~isn't~~safety ~~globally~~lock ~~blocking~~first.

~~public ACLs.~~

Replace YOUR-BUCKET-NAME ~~and the port~~ 59573 with your actual ~~values.~~bucket (e.g., one-bucket-wiki-obulou-org).

aws s3api put-public-access-block \
    --bucket YOUR-BUCKET-NAME \
    --public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false" \
    --endpoint-url http://localhost:59573

Step 3: Create the Public Policy

Create a ~~temporary~~ file named public.json on your server. This policy ~~allows~~grants s3:GetObject (~~download/read)~~read-only ~~for~~access) to anyone (*).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicRead",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
    }
  ]
}

Note: Ensure the Resource ~~matches~~string ~~your bucket name exactly, ending~~ends with /*. to cover all files in the bucket.

Step 4: Apply the Policy

Push the policy file to ~~your~~the Zenko ~~instance.~~instance using the host port.

aws s3api put-bucket-policy \
    --bucket YOUR-BUCKET-NAME \
    --policy file://public.json \
    --endpoint-url http://localhost:59573

Verification

Your files should now be public!

~~Test~~

Because itwe ~~by accessing a file URL in your browser. If you use~~have a reverse proxy (~~like~~Nginx) ~~Nginx),~~listening ~~the~~on ~~URL~~standard ~~will~~web ~~look~~ports, ~~like:~~users can simply visit: http://s3.yourdomain.com/obulou.org/YOUR-BUCKET-NAME/image.png

ImportantClarification: Note:Why ThePort "Random Port" Trap59573?

IfIn ~~you~~our ~~saw~~specific Docker setup, we avoided port conflicts by mapping a ~~random~~unique ~~high number~~external port ~~(like~~ 59573~~) in Step 1, be aware that this might change if you restart~~to the ~~container.~~standard internal S3 port.

~~prevent~~

Traffic ~~your~~Flow: ~~configuration scripts~~User (orInternet) ~~reverse~~→ ~~proxy)~~Nginx ~~from~~(Port ~~breaking~~80/443) → Host Port (59573) → Container Port (8000).

Administration Flow: You (VPS Terminal) → Host Port (59573) → Container Port (8000).

We use localhost:59573 in the ~~future,~~CLI itcommands isbecause ~~highly~~we ~~recommended~~are bypassing the Nginx layer and talking directly to ~~"pin"~~the Docker container's exposed interface on the ~~port in your~~ docker-compose.yml or docker run ~~command:~~server.

ports:
  - "8000:8000"

~~This ensures the service always listens on port 8000, making maintenance much easier.~~