Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

S3 unable to connect to whitelisted path #11340

Closed
cyberduck opened this issue Dec 4, 2020 · 4 comments
Closed

S3 unable to connect to whitelisted path #11340

cyberduck opened this issue Dec 4, 2020 · 4 comments

Comments

@cyberduck
Copy link
Collaborator

@cyberduck cyberduck commented Dec 4, 2020

a11fab0 created the issue

When connecting to a bucket with security policies whitelisting specific paths:

  • Older versions (tested on 6.7.0) allow connections to an S3 bucket, landing on a specific whitelisted Path.
  • Newer versions (tested on 7.7.2) fail with error "Listing directory / failed" when using Server=s3.amazonaws.com and Path=//
  • Newer versions (tested on 7.7.2) fail with error "Listing directory failed" when using Server=.amazonaws.com and Path=

Looks like this issue has been coming and going intermittently since at least 2015 and it suggests attempts at either listing all buckets or listing the root prefix of the bucket, which is not accepted in most security policies.

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Dec 4, 2020

@dkocher commented

Please attach the HTTP transcript and a sample IAM policy to reproduce the problem.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Dec 7, 2020

a11fab0 commented

Here's a sample policy, working on v6 and failing on v7



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringLike": {
                    "s3:prefix": "some_folder/some_user/*"
                }
            },
            "Action": "s3:List*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/some_folder/some_user/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:Abort*",
                "s3:PutObject*",
                "s3:GetBucket*",
                "s3:GetObject*",
                "s3:DeleteObject*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/some_folder/some_user/*"
            ],
            "Effect": "Allow"
        }
    ]
}

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jan 22, 2021

@dkocher commented

Relates to #11549.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jan 22, 2021

@dkocher commented

Can you please try if still see this issue with the current snapshot build
by updating from within Cyberduck in ''Preferences → Update →
Automatically check for updates in → Snapshot Builds''.

Loading

@cyberduck cyberduck closed this Jan 23, 2021
@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants