Unable to download resources with IAM security missing s3:GetAccelerateConfiguration permission #9741
Description
7382b14 created the issue
After upgrading to 5.2.0.21327 build, I was unable to download resources secured by IAM policies (though I was able to list objects as expected).
I reverted to build 5.1.3.20962 and the downloads worked correctly. I also verified the ability to download via command line tools.
We use IAM policies to secure access to resources by prefix within our buckets. For example, we have a policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [ "s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::obfuscated"],
"Condition": { "StringLike": { "s3:prefix": ["more/obfuscation/*"]}}
},
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::obfuscated/more/obfuscation/*"]
}
]
}
What I end up seeing in the logs suggests it might be the acceleration support added in this build:
GET /?accelerate HTTP/1.1
Date: Tue, 25 Oct 2016 19:45:09 GMT
x-amz-request-payer: requester
x-amz-content-sha256: XXX
Host: obfuscated.s3.amazonaws.com
x-amz-date: 20161025T194509Z
Authorization: ******************************************************************************************************************************************************************************************************************************************
Connection: Keep-Alive
User-Agent: Cyberduck/5.2.0.21317 (Mac OS X/10.10.5) (x86_64)
HTTP/1.1 403 Forbidden
x-amz-request-id: XXXX
x-amz-id-2: XXXX
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 25 Oct 2016 19:45:10 GMT
Server: AmazonS3