Cyberduck Mountain Duck CLI

#11340 closed defect (duplicate)

S3 unable to connect to whitelisted path

Reported by: freakk Owned by: dkocher
Priority: high Milestone: 7.8.2
Component: s3 Version: 7.7.2
Severity: major Keywords:
Cc: Architecture:
Platform:

Description

When connecting to a bucket with security policies whitelisting specific paths:

  • Older versions (tested on 6.7.0) allow connections to an S3 bucket, landing on a specific whitelisted Path.
  • Newer versions (tested on 7.7.2) fail with error "Listing directory / failed" when using Server=s3.amazonaws.com and Path=/<bucket-name>/<whhitelisted-prefix>
  • Newer versions (tested on 7.7.2) fail with error "Listing directory <whhitelisted-prefix> failed" when using Server=<bucket-name>.amazonaws.com and Path=<whhitelisted-prefix>

Looks like this issue has been coming and going intermittently since at least 2015 and it suggests attempts at either listing all buckets or listing the root prefix of the bucket, which is not accepted in most security policies.

Change History (6)

comment:1 Changed on Dec 4, 2020 at 4:52:42 PM by dkocher

Please attach the HTTP transcript and a sample IAM policy to reproduce the problem.

comment:2 Changed on Dec 4, 2020 at 4:52:49 PM by dkocher

  • Component changed from core to s3
  • Owner set to dkocher

comment:3 Changed on Dec 7, 2020 at 3:29:12 PM by freakk

Here's a sample policy, working on v6 and failing on v7


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringLike": {
                    "s3:prefix": "some_folder/some_user/*"
                }
            },
            "Action": "s3:List*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/some_folder/some_user/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:Abort*",
                "s3:PutObject*",
                "s3:GetBucket*",
                "s3:GetObject*",
                "s3:DeleteObject*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/some_folder/some_user/*"
            ],
            "Effect": "Allow"
        }
    ]
}

comment:4 Changed on Jan 22, 2021 at 4:04:53 PM by dkocher

  • Milestone set to 7.8.2

Relates to #11549.

comment:5 Changed on Jan 22, 2021 at 4:06:17 PM by dkocher

Can you please try if still see this issue with the current snapshot build by updating from within Cyberduck in Preferences → Update → Automatically check for updates in → Snapshot Builds.

comment:6 Changed on Jan 23, 2021 at 11:14:18 AM by dkocher

  • Resolution set to duplicate
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.