You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems like S3 location check is not working as it should. Here is a quick explanation of the observed behaviour
I anonymized this example by changing account names and bucket names for privacy.
Test conditions & setup
Situation :
single AWS Account, spanning over 2 regions (us-east-1 and eu-west-1)
2 config entries in .yayas.yml, one per region :
aws:
- name: "Account EU WEST 1"profile: "profile"sso: falseregion: "eu-west-1"
- name: "Account US EAST 1"profile: "profile"sso: falseregion: "us-east-1"
Setup :
create bucket "eu-storage" in "eu-west-1"
create bucket "us-storage" in "us-east-1"
Observed behaviour on check AWS_S3_002 S3 buckets are not global but in one zone :
Name: Account EU WEST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
S3 bucket eu-storage is in eu-west-1
S3 bucket us-storage is global but should be in eu-west-1
[...]
Name: Account US EAST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
S3 bucket eu-storage is global but shoud be in us-east-1
S3 bucket us-storage is in us-east-1
[...]
Expected behaviour on check AWS_S3_002 S3 buckets are not global but in one zone :
Name: Account EU WEST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
S3 bucket eu-storage is in eu-west-1
[...]
Name: Account US EAST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
S3 bucket us-storage is in us-east-1
[...]
The ListBuckets function here uses the equivalent ListBuckets AWS API endpoint. This is therefore the same as running aws s3 ls. It turns out that the returned list of buckets is a global list, even if AWS_REGION=eu-west-1 is set : the region parameter is ignored.
Maybe this check should be modified, in order to check in bucket options of global replication is enabled rather than comparing the LocationConstraint on buckets ?
The text was updated successfully, but these errors were encountered:
It seems like S3 location check is not working as it should. Here is a quick explanation of the observed behaviour
I anonymized this example by changing account names and bucket names for privacy.
Test conditions & setup
Situation :
.yayas.yml
, one per region :Setup :
Observed behaviour on check AWS_S3_002 S3 buckets are not global but in one zone :
Expected behaviour on check AWS_S3_002 S3 buckets are not global but in one zone :
Identified cause of bug
In
plugins/aws/s3/getter.go
, L19 :The
ListBuckets
function here uses the equivalent ListBuckets AWS API endpoint. This is therefore the same as runningaws s3 ls
. It turns out that the returned list of buckets is a global list, even ifAWS_REGION=eu-west-1
is set : the region parameter is ignored.Maybe this check should be modified, in order to check in bucket options of global replication is enabled rather than comparing the LocationConstraint on buckets ?
The text was updated successfully, but these errors were encountered: