-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Overwriting a secret resets permissions? #49
Comments
Hi @dancmeyers Do you have versioning enabled on the bucket? |
@dancmeyers Ah, that's an interesting bug. I believe GCS is designed to completely overwrite existing objects rather than updating the data. I ran into this with #40 (had to set metadata again even though I only wanted to modify the object data). I'll add a fix for this in #48 or a follow-up PR. |
Hi @sethvargo, Initially I didn't, but I wondered if that was part of the problem so I turned it on and tried again. The behaviour was the same. |
@maroux FWIW, I had to make some changes to your implementation. IAM is eventually consistent, so I needed to add some retry logic or else risk getting a 412 half the time. |
This may be related to #40, I'm not sure. Regardless, I'm experiencing the following:
berglas grant
berglas create
to overwrite the existing key/cert with the new ones)When an object already exists and I have the permissions to overwrite it with a new version I would expect the IAM permissions created as a result of the prior
berglas grant
call to be retained.If this is an explicit expectation of
create
for security purposes or similar I would expect theedit
functionality described in #40 to retain grants (I didn't manage to spot anything in the modifications of that PR that does this).Or have I somehow managed to create a completely barmy GCS bucket that is behaving in an unexpected way? I tested using
gsutil cp
and verified that that is also not retaining the object permissions or metadata when a version of the object already exists, which surprised me.The text was updated successfully, but these errors were encountered: