Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing prompt for MFA serial number in delete request using MFA code #16267

Closed
DanSega1 opened this issue Aug 28, 2024 · 10 comments · Fixed by #16275
Closed

Missing prompt for MFA serial number in delete request using MFA code #16267

DanSega1 opened this issue Aug 28, 2024 · 10 comments · Fixed by #16275
Assignees
Labels
s3 AWS S3 Protocol Implementation
Milestone

Comments

@DanSega1
Copy link

DanSega1 commented Aug 28, 2024

I try to delete a file or directory in MFA enabled s3 bucket and I got an error after adding my MFA code.
My IAM user have policy attached that included s3:Delete & s3:DeleteObjectVersion with aws:MultiFactorAuthPresent.

To Reproduce
Steps to reproduce the behavior:

  1. find file I want to delete
  2. right-click on the mouse and choose to delete from the menu
  3. MFA pop-up to fill the MFA code
  4. Error Pop-up

Expected behavior
using mfa to delete the file/directory from the cyberduck

Screenshots
Image from Mail Attachment

Desktop (please complete the following information):

  • OS: MacOS Sonoma
  • Cyberduck Version 9.0.1

Log Files

2024-08-28 13:48:08,982 [Thread-302] DEBUG org.jets3t.service.impl.rest.httpclient.RestStorageService - Rethrowing as a ServiceException error in performRequest: org.jets3t.service.ServiceException: Service Error Message. -- ResponseCode: 400, ResponseStatus: null, XML Error Message: InvalidArgumentMfa header is invalid -- the header should be formatted as {serialNumber}(space){tokenCode}x-amz-mfa970589APA0HGV56CGKYM3SNXyPQotnvCIpixZZ6H5JeYldjzjaQOnm9gtyHZe5kf+wSb+MpS7dH3SSkQmFlWkZxVOBdhDXWQA=

Additional context
This is by api issue or mission the permission in aws? how to solve it?

@dkocher dkocher added the s3 AWS S3 Protocol Implementation label Aug 28, 2024
@dkocher
Copy link
Contributor

dkocher commented Aug 30, 2024

The error message the header should be formatted as {serialNumber}(space){tokenCode} indicates we are missing the serial number of the MFA device which is not queried in the prompt. This seems to be a regression from f9d2a41 and subsequently df87c45.

@dkocher dkocher self-assigned this Aug 30, 2024
@dkocher dkocher added this to the 9.1 milestone Aug 30, 2024
@dkocher dkocher changed the title Issue to delete in s3 bucket with MFA delete enabled Missing prompt for MFA serial number in delete request using MFA code Aug 30, 2024
@dkocher dkocher linked a pull request Aug 30, 2024 that will close this issue
@dkocher dkocher closed this as completed in a70c497 Sep 2, 2024
@DanSega1
Copy link
Author

DanSega1 commented Sep 3, 2024

I'm sorry, i'm not sure that I understood you.
this is issue in the program that will be fix? or there is an issue with the permissions/requirements that i can change to solve it?

@dkocher
Copy link
Contributor

dkocher commented Sep 3, 2024

I'm sorry, i'm not sure that I understood you. this is issue in the program that will be fix? or there is an issue with the permissions/requirements that i can change to solve it?

The issue should be fixed in the current snapshot build.

Can you please try if still see this issue with the current snapshot build by updating from within Cyberduck in Preferences → Update → Automatically check for updates in → Snapshot Builds.

@DanSega1
Copy link
Author

DanSega1 commented Sep 3, 2024

I update it to the latest snapshot build and still get the same error.

@dkocher
Copy link
Contributor

dkocher commented Sep 3, 2024

I update it to the latest snapshot build and still get the same error.

Please make sure to update to build 9.1.0.42045.

@DanSega1
Copy link
Author

DanSega1 commented Sep 3, 2024

Oh, I had another update, now I have option to add the mfa arn and then the code.
My error now is,

This operation may only be performed by the bucket owner. Please contact your web hosting service provider for assistance.

I try to delete directory in MFA enabled bucket, using regular user (not root) with policy attached that included s3:Delete & s3:DeleteObjectVersion with aws:MultiFactorAuthPresent.
There are other permissions I need to add the policy? As I said, I can delete it from the s3 console

@dkocher
Copy link
Contributor

dkocher commented Sep 3, 2024

The error message might indicate we attempt to change the MFA configuration on the bucket. Can you provide the HTTP log for the error with the instructions from 1.

Footnotes

  1. https://docs.cyberduck.io/cyberduck/support/#logging-output

@DanSega1
Copy link
Author

DanSega1 commented Sep 3, 2024

i delete sensetive info from the log.
its look like the this is the main line:
Caused by: org.apache.http.client.HttpResponseException: status code: 403, reason phrase: This operation may only be performed by the bucket owner.
it's weird that the same user have different permission between cli/cyberduck and console
cyberduck-logfile.txt

@dkocher
Copy link
Contributor

dkocher commented Sep 3, 2024

i delete sensetive info from the log. its look like the this is the main line: Caused by: org.apache.http.client.HttpResponseException: status code: 403, reason phrase: This operation may only be performed by the bucket owner. it's weird that the same user have different permission between cli/cyberduck and console cyberduck-logfile.txt

You are attempting to delete a bucket which possibly implies removing the MFA delete option which is only allowed for root users 1.

Footnotes

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html

@DanSega1
Copy link
Author

DanSega1 commented Sep 4, 2024

I tried to use aws cli to test it, using this commad i don't need the MFA at all:

aws s3 rm s3://bucketname/directory/ --recursive --profile test

the directory is deleted, no need to use mfa.

when i tried to user s3api i get the same error.

aws s3api list-object-versions --bucket bucketname.da --prefix directoryname --query 'Versions[].[Key,VersionId]' --output text --profile test | while read key version; do
    aws s3api delete-object --bucket bucketname --key directoryname --version-id "$version" --mfa "mfaserial+code" --profile test
done

An error occurred (AccessDenied) when calling the DeleteObject operation: This operation may only be performed by the bucket owner

An error occurred (TokenCodeInvalidError) when calling the DeleteObject operation: The serial number mfaserial and/or token code codenumber you provided is not valid`.

i'm not sure why but with s3api i can't do commands that i can with cli with the same user.

dkocher added a commit that referenced this issue Sep 4, 2024
Support delete using MFA in default implementation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
s3 AWS S3 Protocol Implementation
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants