Cyberduck Mountain Duck CLI

#6952 closed defect (worksforme)

S3 restricted folder access denied permissions

Reported by: detail Owned by: dkocher
Priority: normal Milestone: 4.7
Component: s3 Version: 4.2.1
Severity: normal Keywords:
Cc: Architecture: Intel
Platform: Mac OS X 10.7

Description (last modified by dkocher)

I have been playing with the IAM permissions forever now and read everything I possibly can.

I am starting to wonder if it is something to do with Cyberduck possibly from what I read on another S3 browser software site, which is OK. But I just need to verify what's going on, and any help is sooo much appreciated.

I get the following error when trying to create a folder or upload a file:

S3 Error: Cannot create folder test
S3 Error Message. Forbidden. Access Denied.

I have the the path when I login to S3 set to: /bucket/site/wp-content/themes/

That works and I get a listing of all folders and file in there. But when I try to upload or download anything in there I get the error above.

Here is my current IAM permissions:

{
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
      "Action": [ 
        "s3:ListAllMyBuckets", 
        "s3:GetBucketLocation", 
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads" 
      ],
      "Effect": "Allow",
      "Resource": [ "arn:aws:s3:::*" ]
    },
    {
      "Sid": "AllowRootLevelListingOfCompanyBucket",
      "Action": [
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:PutObject",
        "s3:GetObject",
        "s3:GetBucketLocation",
        "s3:ListMultipartUploadParts"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucket",
        "arn:aws:s3:::bucket/*"
      ],
      "Condition":{ 
           "StringLike":{
              "s3:prefix":"site/wp-content/themes",
              "s3:prefix":"site/wp-content/themes/*"
           }
      }
    }
  ]
}

Please any help fixing the permissions or letting me know it's a known issue when trying to only give access to a specific location with Cyberduck would help.

I just want to let these users in this IAM group have access to download/upload/delete files in the following location only: /bucket/site/wp-content/themes/*

Thank you again everyone for taking the time to read this. :)

Change History (7)

comment:1 Changed on Nov 25, 2012 at 1:23:33 PM by dkocher

  • Component changed from core to s3
  • Description modified (diff)
  • Owner set to dkocher

comment:2 Changed on Nov 25, 2012 at 1:50:49 PM by dkocher

  • Resolution set to thirdparty
  • Status changed from new to closed

Not exactly sure without testing why the above policy doesn't work but you could simplify it by narrowing down the Resource instead of a prefix condition.

{
   "Statement":[
   {
      "Action": [ 
        "s3:ListAllMyBuckets", 
        "s3:GetBucketLocation", 
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [ "arn:aws:s3:::*" ]
    },
    {
      "Effect":"Allow",
      "Action":["s3:PutObject","s3:GetObject","s3:GetObjectVersion",
      "s3:DeleteObject","s3:DeleteObjectVersion"],
      "Resource":"arn:aws:s3:::bucket/site/wp-content/themes/*"
    }
   ]
}

comment:3 follow-up: Changed on Mar 24, 2015 at 1:56:59 PM by max@…

  • Resolution thirdparty deleted
  • Status changed from closed to reopened

Not sure why this was closed, as this issue persists. For various security reasons, I need to give users permission to list only specific directories. This can't be accomplished by narrowing the Resource because the ListBucket ACL applies only to buckets. CyberDuck attempts to list the entire bucket on load, even though a prefix has been specified.

comment:4 in reply to: ↑ 3 Changed on Mar 24, 2015 at 8:14:45 PM by dkocher

Replying to max@…:

Not sure why this was closed, as this issue persists. For various security reasons, I need to give users permission to list only specific directories. This can't be accomplished by narrowing the Resource because the ListBucket ACL applies only to buckets. CyberDuck attempts to list the entire bucket on load, even though a prefix has been specified.

Can you elaborate what you mean by list the entire bucket. We list all buckets if no default path has been set in the bookmark or list the default bookmark path otherwise on login.

comment:5 Changed on Mar 24, 2015 at 8:36:01 PM by max@…

Here's what my policy looks like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-bucket-name",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "path/to/folder/"
                }
            }
        },
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-bucket-name/path/to/folder/*"
        }
    ]
}

The first statement allows bucket actions on folder and the second statement allows object actions on folder. The result is that users with this policy can only read/write/list one directory in my-bucket-name.

Using CyberDuck, I click "Open Connection", enter my Access Key ID and Secret Access Key, and in "More Options", enter the path to the directory: my-bucket-name/path/to/folder. When I click "Connect", I get an error:

Listing directory folder failed.
Access Denied: Please contact your web hosting service provider for assistance.

My best guess is that CyberDuck attempts to list the entire bucket (as opposed to the one directory) and fails (since listing is restricted to using that prefix).

comment:6 Changed on Mar 31, 2015 at 3:40:44 PM by dkocher

Please post the transcript from the log drawer (⌘-L).

comment:7 Changed on Mar 31, 2015 at 3:42:58 PM by dkocher

  • Milestone set to 4.7
  • Resolution set to worksforme
  • Status changed from reopened to closed

I just noted that you are reporting this issue against version 4.2.1. Please upgrade to the latest release and reopen this issue if the problem persists.

Note: See TracTickets for help on using tickets.
swiss made software