Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing empty prefix parameter leads to permission error with IAM policy containing restriction on prefix #11549

Closed
cyberduck opened this issue Jan 17, 2021 · 4 comments
Closed

Missing empty prefix parameter leads to permission error with IAM policy containing restriction on prefix #11549

cyberduck opened this issue Jan 17, 2021 · 4 comments
Assignees
@dkocher
Labels
bug fixed s3 AWS S3 Protocol Implementation
Milestone
7.8.2

Comments

@cyberduck
Copy link
Collaborator

9103a4d created the issue

I have configured a variety of AWS IAM S3 credentials that provide restricted access to particular folders on S3. These credentials and permissions have worked well in CyberDuck for six months, but in the latest version of CyberDuck (v.7.8.1), the credentials, whose permissions are unchanged, no longer work. The credentials continue to work in an alternative S3 file management tool (S3 Browser). I have rolled back to v.7.7.2, and the credentials work fine there.

Specifically, the credentials are able to list my buckets ("s3:ListAllMyBuckets", "s3:GetBucketLocation"), but they are unable to list the "/" root folder content in version v.7.8.1. It works perfectly in v.7.7.2. Oddly, even with v.7.8.1, the credentials are still able to read contents of subfolders, provided that I provide their path in the Bookmark configuration.

So, for example, the credentials are configured to allow read-write access in /mybucket2/folderA.
The credentials are able to read the bucket list:

/mybucket1
/mybucket2
/mybucket3

But when I try to open /mybucket2, I get a "Listing directory mybucket2 failed" error.

However, if I configure the bookmark path to /mybucket2/folderA, I am able to open and see the contents of that folder. If I try to navigate to the parent folder, I get an error again.

I have toggled the Log Drawer and compared the behavior for v.7.7.2 vs. v.7.8.1 by going through the same sequence of steps for each. The error in version 7.8.1 occurs with the following HTTP request below.

v.7.7.2: GET /?encoding-type=url&max-keys=1000&prefix&delimiter=%2F HTTP/1.1

v.7.8.1: GET /?encoding-type=url&max-keys=1000&delimiter=%2F HTTP/1.1

The v.7.8.1 HTTP request is missing the "prefix" query string parameter which, even though it is empty for v.7.7.2, appears to be necessary for S3 to be happy.

I am attaching the Log Drawer output

Below is the IAM JSON policy for account I am testing. (I have changed the bucket and folder names.) The IAM policy gives read/write access to three folders at the top level of a one specific bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowNavigationToTargetFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-example-bucket"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:delimiter": "/",
                    "s3:prefix": [
                        "",
                        "Folder_A/",
                        "Folder_B/",
                        "Folder_C/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfTargetFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-example-bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "Folder_A/*",
                        "Folder_B/*",
                        "Folder_C/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAddDeleteListOnlyInFolder",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::my-example-bucket/Folder_A/*",
                "arn:aws:s3:::my-example-bucket/Folder_B/*",
                "arn:aws:s3:::my-example-bucket/Folder_C/*"
            ]
        }
    ]
}

Attachments
@cyberduck
Copy link
Collaborator Author

9103a4d commented

I was alerted to this bug by problem reports from two other people. One of those verified that by reverting to v.7.7.2, the problem was resolved.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Regression from 8d36020.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

I suppose it is expected the request to fail with a permission error with the prefix parameter missing but the policy requiring a prefix with s3:prefix.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

In cfb828c. Change of handling of empty request parameters in (iterate-ch/jets3t#8).

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dkocher dkocher

Labels
bug fixed s3 AWS S3 Protocol Implementation
Projects
None yet
Milestone
7.8.2
Development

No branches or pull requests
2 participants
@dkocher @cyberduck