Cyberduck Mountain Duck CLI

#11549 closed defect (fixed)

Missing empty prefix parameter leads to permission error with IAM policy containing restriction on prefix

Reported by: martin_w Owned by: dkocher
Priority: normal Milestone: 7.8.2
Component: s3 Version: 7.8.1
Severity: major Keywords: s3 regression
Cc: Architecture: Intel
Platform: Windows 10

Description

I have configured a variety of AWS IAM S3 credentials that provide restricted access to particular folders on S3. These credentials and permissions have worked well in CyberDuck for six months, but in the latest version of CyberDuck (v.7.8.1), the credentials, whose permissions are unchanged, no longer work. The credentials continue to work in an alternative S3 file management tool (S3 Browser). I have rolled back to v.7.7.2, and the credentials work fine there.

Specifically, the credentials are able to list my buckets ("s3:ListAllMyBuckets", "s3:GetBucketLocation"), but they are unable to list the "/" root folder content in version v.7.8.1. It works perfectly in v.7.7.2. Oddly, even with v.7.8.1, the credentials are still able to read contents of subfolders, provided that I provide their path in the Bookmark configuration.

So, for example, the credentials are configured to allow read-write access in /mybucket2/folderA. The credentials are able to read the bucket list:

/mybucket1
/mybucket2
/mybucket3

But when I try to open /mybucket2, I get a "Listing directory mybucket2 failed" error.

However, if I configure the bookmark path to /mybucket2/folderA, I am able to open and see the contents of that folder. If I try to navigate to the parent folder, I get an error again.

I have toggled the Log Drawer and compared the behavior for v.7.7.2 vs. v.7.8.1 by going through the same sequence of steps for each. The error in version 7.8.1 occurs with the following HTTP request below.

v.7.7.2: GET /?encoding-type=url&max-keys=1000&prefix&delimiter=%2F HTTP/1.1

v.7.8.1: GET /?encoding-type=url&max-keys=1000&delimiter=%2F HTTP/1.1

The v.7.8.1 HTTP request is missing the "prefix" query string parameter which, even though it is empty for v.7.7.2, appears to be necessary for S3 to be happy.

I am attaching the Log Drawer output

Below is the IAM JSON policy for account I am testing. (I have changed the bucket and folder names.) The IAM policy gives read/write access to three folders at the top level of a one specific bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowNavigationToTargetFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-example-bucket"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:delimiter": "/",
                    "s3:prefix": [
                        "",
                        "Folder_A/",
                        "Folder_B/",
                        "Folder_C/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfTargetFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-example-bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "Folder_A/*",
                        "Folder_B/*",
                        "Folder_C/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAddDeleteListOnlyInFolder",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::my-example-bucket/Folder_A/*",
                "arn:aws:s3:::my-example-bucket/Folder_B/*",
                "arn:aws:s3:::my-example-bucket/Folder_C/*"
            ]
        }
    ]
}

Attachments (1)

CyberDuckV7.8.2-S3-Bug.txt (12.9 KB) - added by martin_w on Jan 17, 2021 at 10:54:43 PM.
Compares Log Drawer output of successful and failed requests

Download all attachments as: .zip

Change History (9)

Changed on Jan 17, 2021 at 10:54:43 PM by martin_w

Compares Log Drawer output of successful and failed requests

comment:1 Changed on Jan 17, 2021 at 10:56:52 PM by martin_w

  • Architecture set to Intel
  • Platform set to Windows 10

I was alerted to this bug by problem reports from two other people. One of those verified that by reverting to v.7.7.2, the problem was resolved.

comment:2 Changed on Jan 17, 2021 at 11:00:38 PM by martin_w

  • Component changed from core to s3
  • Owner set to dkocher

comment:3 Changed on Jan 18, 2021 at 7:38:39 AM by dkocher

  • Milestone set to 8.0
  • Status changed from new to assigned

Regression from r50459.

comment:4 Changed on Jan 18, 2021 at 7:45:03 AM by dkocher

I suppose it is expected the request to fail with a permission error with the prefix parameter missing but the policy requiring a prefix with s3:prefix.

comment:5 Changed on Jan 18, 2021 at 7:58:14 AM by dkocher

  • Summary changed from Amazon S3 regression: cannot list root "/" folder of bucket in v.7.8.1 of CyberDuck. Works in v.7.7.2. to Missing empty prefix parameter leads to permission with IAM policy containing restriction on prefix

comment:6 Changed on Jan 18, 2021 at 7:58:51 AM by dkocher

  • Milestone changed from 8.0 to 7.8.2

comment:7 Changed on Jan 18, 2021 at 9:53:12 AM by dkocher

  • Resolution set to fixed
  • Status changed from assigned to closed

In r50487. Change of handling of empty request parameters in https://github.com/iterate-ch/jets3t/pull/8.

comment:8 Changed on Jan 24, 2021 at 3:06:27 PM by dkocher

  • Summary changed from Missing empty prefix parameter leads to permission with IAM policy containing restriction on prefix to Missing empty prefix parameter leads to permission error with IAM policy containing restriction on prefix
Note: See TracTickets for help on using tickets.