Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to download resources with IAM security missing s3:GetAccelerateConfiguration permission #9741

Closed
cyberduck opened this issue Oct 25, 2016 · 6 comments
Labels
bug fixed s3 version:5.1
Milestone

Comments

@cyberduck
Copy link
Collaborator

@cyberduck cyberduck commented Oct 25, 2016

7382b14 created the issue

After upgrading to 5.2.0.21327 build, I was unable to download resources secured by IAM policies (though I was able to list objects as expected).

I reverted to build 5.1.3.20962 and the downloads worked correctly. I also verified the ability to download via command line tools.

We use IAM policies to secure access to resources by prefix within our buckets. For example, we have a policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [ "s3:ListBucket"],
            "Effect": "Allow",
            "Resource": ["arn:aws:s3:::obfuscated"],
            "Condition": { "StringLike": { "s3:prefix": ["more/obfuscation/*"]}}
        },
        {
            "Effect": "Allow",
            "Action": ["s3:*"],
            "Resource": ["arn:aws:s3:::obfuscated/more/obfuscation/*"]
        }
    ]
}

What I end up seeing in the logs suggests it might be the acceleration support added in this build:

GET /?accelerate HTTP/1.1
Date: Tue, 25 Oct 2016 19:45:09 GMT
x-amz-request-payer: requester
x-amz-content-sha256: XXX
Host: obfuscated.s3.amazonaws.com
x-amz-date: 20161025T194509Z
Authorization: ******************************************************************************************************************************************************************************************************************************************
Connection: Keep-Alive
User-Agent: Cyberduck/5.2.0.21317 (Mac OS X/10.10.5) (x86_64)
HTTP/1.1 403 Forbidden
x-amz-request-id: XXXX
x-amz-id-2: XXXX
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 25 Oct 2016 19:45:10 GMT
Server: AmazonS3
@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Oct 25, 2016

@dkocher commented

In 22dea08. Please update to the latest snapshot build available.

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Oct 25, 2016

7382b14 commented

Thank you! Sorry if I missed a bug logging this, I tried searching around, but nothing kicked out. And yes, behavior worked as expected in snapshot build - Version 5.3.0 (21327).

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Oct 25, 2016

@dkocher commented

Replying to [comment:2 paul.christmann]:

Thank you! Sorry if I missed a bug logging this, I tried searching around, but nothing kicked out. And yes, behavior worked as expected in snapshot build - Version 5.3.0 (21327).

Thanks for reporting the issue. No duplicate bug was previously raised.

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Oct 27, 2016

@dkocher commented

#9743 closed as duplicate.

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Oct 27, 2016

@dkocher commented

Please update to the latest snapshot build available.

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Nov 1, 2016

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug fixed s3 version:5.1
Projects
None yet
Development

No branches or pull requests

1 participant