-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bucket_check condition too strict for certain scenarios #8123
Comments
Would you be interested in sending us a PR for this? A new parameter could be added to specify the validate flag. |
I'm really busy right now, but if no one addresses this I'll eventually get to it. |
I ran into the same problem today. Ansible's I think the problem is that the user doesn't have permission to list the objects in that bucket. The message "Target bucket cannot be found" is misleading; the problem is actually that the list operation "aws s3 ls s3://bucket" fails. Come to think of it, I don't see why the s3 module should verify that the bucket exists or that it can be listed. Can it just attemp the GET operation? |
I just took a little deeper look into the code after seeing another comment on this issue. It's not just the I'm not sure if I'm actually wondering whether any preliminary checks should be done at all. I think it might be better for the module to do exactly what it's told to do (e.g. get key -> don't validate bucket, don't validate key, just try to get it) instead of trying to add any layers of "protection", which add complication, add extra calls, and don't actually offer any benefit -- we'll know we can't get the key if we can't get it anyway. Any thoughts on this, @jimi-c? Removing all the bucket checks is quite a bit of a change from how things are working now, but the current behaviour is broken and it seems unlikely that the broken behaviour would be relied upon by anyone. |
We also faced this issue today. S3 operations access was only limited to a specific folder in a bucket. However, ansible threw error as: "msg: Target bucket cannot be found" Version used: 1.7.2 While AWS provides granular access control to S3 objects through IAM policies, we anticipate this to be present in ansible as well without any need of explicit list rights for entire bucket. |
Hi! Thanks very much for your interest in Ansible. It sincerely means a lot to us. On September 26, 2014, due to enormous levels of contribution to the project Ansible decided to reorganize module repos, making it easier We split modules from the main project off into two repos, http://github.com/ansible/ansible-modules-core and http://github.com/ansible/ansible-modules-extras If you would still like this ticket attended to, we will need your help in having it reopened in one of the two new repos, and instructions are provided below. We apologize that we are not able to make this transition happen seamlessly, though this is a one-time change and your help is greatly appreciated -- Both sets of modules will ship with Ansible, though they'll receive slightly different ticket handling. To locate where a module lives between 'core' and 'extras'
Additionally, should you need more help with this, you can ask questions on:
Thank you very much! |
Hi! Thanks very much for your interest in Ansible. It sincerely means a lot to us. On September 26, 2014, due to enormous levels of contribution to the project Ansible decided to reorganize module repos, making it easier We split modules from the main project off into two repos, http://github.com/ansible/ansible-modules-core and http://github.com/ansible/ansible-modules-extras If you would still like this ticket attended to, we will need your help in having it reopened in one of the two new repos, and instructions are provided below. We apologize that we are not able to make this transition happen seamlessly, though this is a one-time change and your help is greatly appreciated -- Both sets of modules will ship with Ansible, though they'll receive slightly different ticket handling. To locate where a module lives between 'core' and 'extras'
Additionally, should you need more help with this, you can ask questions on:
Thank you very much! |
I had the same error while the aws cli tool fails with: and the: A client error (InvalidRequest) occurred when calling the ListObjects operation: You are attempting to operate on a bucket in a region that requires Signature Version 4. You can fix this issue by explicitly providing the correct region location using the --region argument, the AWS_DEFAULT_REGION environment variable, or the region variable in the AWS CLI configuration file. You can get the bucket's location by running "aws s3api get-bucket-location --bucket BUCKET". in the end I've found, that I had 2 errors: now It seems ok, but still not working |
Is this seeing any progress? I have ended up granting full access to a role and I still get 'Target bucket cannot be found'. Even if this had worked I wouldn't want ansible having these permissions. ansible 1.9.3 aws cli s3 list-objects for the bucket returns a list of objects as expected, for the restricted role. There's no reason for this to fail on check_bucket as far as I can make out. |
Can this please be addressed? Opening a bucket to full perms just to get around this bug is crazy. |
While not optimal you can get around this issue without giving full perms. A policy structured like this does nicely for a Read Only bucket. The important part seems to be applying the perms to the bucket itself.
|
Issue Type:
Bug Report
Ansible Version:
ansible 1.6.6
Environment:
Ubuntu 12.04
Summary:
When an IAM policy allows an action on a particular key, but doesn't allow a bucket lookup, trying to perform the action on the key fails because the bucket_check is performed even though it isn't needed.
Steps To Reproduce:
Set up an IAM policy that allows an action for a specific file, but no actions on the bucket.
Example...
Run an action like...
Expected Results:
The file object should be retrieved.
Actual Results:
(bucket and key have been substituted for the actual bucket and key in the output below)
Suggested change
bucket_check
fails onInstead of using
s3.lookup
,s3.get_bucket
should be used which allows the possibility of not validating...Of course, in most scenarios, we want
validate=True
so this needs flexibility.The text was updated successfully, but these errors were encountered: