Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s3 acl param not working with rclone copy #5188

Closed
erinhartigan opened this issue Apr 1, 2021 · 4 comments
Closed

s3 acl param not working with rclone copy #5188

erinhartigan opened this issue Apr 1, 2021 · 4 comments
Labels
question Remote: S3

Comments

@erinhartigan
Copy link

My s3 bucket has an acl policy that requires "bucket-owner-full-control". When I add the param to an aws cli copy command, it works, but when I try to add the param to rclone, it still gives me an "AccessDenied" error. I have tried setting the acl in many different ways:

I tried these two different configs in the config file:

[aws-dev]
type = s3
provider = AWS
env_auth = true
region = eu-west-1
location_constraint = eu-west-1
server_side_encryption = aws:kms
acl = bucket-owner-full-control

[aws-dev]
type = s3
provider = AWS
env_auth = true
region = eu-west-1
location_constraint = eu-west-1
server_side_encryption = aws:kms
s3-acl = bucket-owner-full-control

I also tried with flags in the command:

AWS_PROFILE=dev-s3-data-transfer-role-profile rclone --progress --checkers 64 --transfers 64 --cache-workers 24 --s3-acl=bucket-owner-full-control copy x.txt aws-dev:XXXXXXXX

AWS_PROFILE=dev-s3-data-transfer-role-profile rclone --progress --checkers 64 --transfers 64 --cache-workers 24 --acl=bucket-owner-full-control copy x.txt aws-dev:XXXXXXXX

AWS_PROFILE=dev-s3-data-transfer-role-profile rclone --progress --checkers 64 --transfers 64 --cache-workers 24 --s3-acl=bucket-owner-full-control --s3-no-check-bucket copy x.txt aws-dev:XXXXXXXX

AWS_PROFILE=dev-s3-data-transfer-role-profile rclone --progress --checkers 64 --transfers 64 --cache-workers 24 --acl=bucket-owner-full-control --s3-no-check-bucket copy x.txt aws-dev:XXXXXXXX

So, it seems like the acl rclone param is not being transferred to the s3 copy when it runs.

Also, here is my the s3bucket IAM policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::XXXXXXXX/",
"Condition": {
"StringNotLikeIfExists": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "XXXXXXXXX"
}
}
},
{
"Effect": "Deny",
"Principal": "",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::XXXXXXXXX/",
"Condition": {
"StringNotEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
@ncw
Copy link
Member

ncw commented Apr 2, 2021

[aws-dev]
type = s3
provider = AWS
env_auth = true
region = eu-west-1
location_constraint = eu-west-1
server_side_encryption = aws:kms
acl = bucket-owner-full-contro

This is the correct way.

Can you try with rclone 1.55 and if that fails, try with --dump headers -vv and post the http transaction so I can see if it is correct.

@erinhartigan
Copy link
Author

[aws-dev]
type = s3
provider = AWS
env_auth = true
region = eu-west-1
location_constraint = eu-west-1
server_side_encryption = aws:kms
acl = bucket-owner-full-contro

This is the correct way.

Can you try with rclone 1.55 and if that fails, try with --dump headers -vv and post the http transaction so I can see if it is correct.

And I'm assuming you meant "bucket-owner-full-control"?

@ncw
Copy link
Member

ncw commented Apr 3, 2021

And I'm assuming you meant "bucket-owner-full-control"?

Yes, sorry, cut and paste fail.

@ivandeex
Copy link
Member

Regular cleanup of answered tickets

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Remote: S3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ncw @ivandeex @erinhartigan