I have configured a variety of AWS IAM S3 credentials that provide restricted access to particular folders on S3. These credentials and permissions have worked well in CyberDuck for six months, but in the latest version of CyberDuck (v.7.8.1), the credentials, whose permissions are unchanged, no longer work. The credentials continue to work in an alternative S3 file management tool (S3 Browser). I have rolled back to v.7.7.2, and the credentials work fine there.
Specifically, the credentials are able to list my buckets ("s3:ListAllMyBuckets", "s3:GetBucketLocation"), but they are unable to list the "/" root folder content in version v.7.8.1. It works perfectly in v.7.7.2. Oddly, even with v.7.8.1, the credentials are still able to read contents of subfolders, provided that I provide their path in the Bookmark configuration.
So, for example, the credentials are configured to allow read-write access in /mybucket2/folderA.
The credentials are able to read the bucket list:
But when I try to open /mybucket2, I get a "Listing directory mybucket2 failed" error.
However, if I configure the bookmark path to /mybucket2/folderA, I am able to open and see the contents of that folder. If I try to navigate to the parent folder, I get an error again.
I have toggled the Log Drawer and compared the behavior for v.7.7.2 vs. v.7.8.1 by going through the same sequence of steps for each. The error in version 7.8.1 occurs with the following HTTP request below.
v.7.7.2: GET /?encoding-type=url&max-keys=1000&prefix&delimiter=%2F HTTP/1.1
v.7.8.1: GET /?encoding-type=url&max-keys=1000&delimiter=%2F HTTP/1.1
The v.7.8.1 HTTP request is missing the "prefix" query string parameter which, even though it is empty for v.7.7.2, appears to be necessary for S3 to be happy.
I am attaching the Log Drawer output
Below is the IAM JSON policy for account I am testing. (I have changed the bucket and folder names.) The IAM policy gives read/write access to three folders at the top level of a one specific bucket.