Skip to content
Permalink
Browse files

deploy: Switch how bucket existence is confirmed to avoid broad permi…

…ssions

Using bucket.load() requires IAM permissions to list all buckets
associated with the AWS account, which is broader than we'd like.
head_bucket() only requires permission to perform the ListBucket action
on the given bucket.
  • Loading branch information...
tsibley committed Sep 10, 2019
1 parent 89034fb commit 409942274bdddbb309ba0d951de95db748c6935c
Showing with 8 additions and 6 deletions.
  1. +8 −6 nextstrain/cli/deploy/s3.py
@@ -9,7 +9,7 @@
import re
import shutil
import urllib.parse
from botocore.exceptions import NoCredentialsError, PartialCredentialsError, WaiterError
from botocore.exceptions import ClientError, NoCredentialsError, PartialCredentialsError, WaiterError
from gzip import GzipFile
from io import BytesIO
from os.path import commonprefix
@@ -37,16 +37,18 @@ def run(url: urllib.parse.ParseResult, local_files: List[Path]) -> int:
# prefix for uploaded files. Internal and trailing slashes are untouched.
prefix = url.path.lstrip("/")

# Find the bucket and ensure it already exists so we don't automagically
# create new buckets.
bucket = boto3.resource("s3").Bucket(url.netloc)

# Find the bucket and ensure we have access and that it already exists so
# we don't automagically create new buckets.
try:
bucket = boto3.resource("s3").Bucket(url.netloc)
bucket.load()
boto3.client("s3").head_bucket(Bucket = bucket.name)

except (NoCredentialsError, PartialCredentialsError) as error:
warn("Error:", error)
return 1

if not bucket.creation_date:
except ClientError as error:
warn('No bucket exists with the name "%s".' % bucket.name)
warn()
warn("Buckets are not automatically created for safety reasons.")

0 comments on commit 4099422

Please sign in to comment.
You can’t perform that action at this time.