Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 restricted folder access denied permissions #6952

Closed
cyberduck opened this issue Nov 8, 2012 · 6 comments
Closed

S3 restricted folder access denied permissions #6952

cyberduck opened this issue Nov 8, 2012 · 6 comments
Assignees
@dkocher
Labels
bug s3 AWS S3 Protocol Implementation worksforme
Milestone
4.7

Comments

@cyberduck
Copy link
Collaborator

5e5570e created the issue

I have been playing with the IAM permissions forever now and read everything I possibly can.

I am starting to wonder if it is something to do with Cyberduck possibly from what I read on another S3 browser software site, which is OK. But I just need to verify what's going on, and any help is sooo much appreciated.

I get the following error when trying to create a folder or upload a file:

S3 Error: Cannot create folder test
S3 Error Message. Forbidden. Access Denied.

I have the the path when I login to S3 set to: /bucket/site/wp-content/themes/

That works and I get a listing of all folders and file in there. But when I try to upload or download anything in there I get the error above.

Here is my current IAM permissions:

{
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
      "Action": [ 
        "s3:ListAllMyBuckets", 
        "s3:GetBucketLocation", 
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads" 
      ],
      "Effect": "Allow",
      "Resource": [ "arn:aws:s3:::*" ]
    },
    {
      "Sid": "AllowRootLevelListingOfCompanyBucket",
      "Action": [
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:PutObject",
        "s3:GetObject",
        "s3:GetBucketLocation",
        "s3:ListMultipartUploadParts"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucket",
        "arn:aws:s3:::bucket/*"
      ],
      "Condition":{ 
           "StringLike":{
              "s3:prefix":"site/wp-content/themes",
              "s3:prefix":"site/wp-content/themes/*"
           }
      }
    }
  ]
}

Please any help fixing the permissions or letting me know it's a known issue when trying to only give access to a specific location with Cyberduck would help.

I just want to let these users in this IAM group have access to download/upload/delete files in the following location only:
/bucket/site/wp-content/themes/*

Thank you again everyone for taking the time to read this. :)
@cyberduck
Copy link
Collaborator Author

@dkocher commented

Not exactly sure without testing why the above policy doesn't work but you could simplify it by narrowing down the Resource instead of a prefix condition.

{
   "Statement":[
   {
      "Action": [ 
        "s3:ListAllMyBuckets", 
        "s3:GetBucketLocation", 
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [ "arn:aws:s3:::*" ]
    },
    {
      "Effect":"Allow",
      "Action":["s3:PutObject","s3:GetObject","s3:GetObjectVersion",
      "s3:DeleteObject","s3:DeleteObjectVersion"],
      "Resource":"arn:aws:s3:::bucket/site/wp-content/themes/*"
    }
   ]
}

@cyberduck
Copy link
Collaborator Author

c1a2ae1 commented

Not sure why this was closed, as this issue persists. For various security reasons, I need to give users permission to list only specific directories. This can't be accomplished by narrowing the Resource because the ListBucket ACL applies only to buckets. CyberDuck attempts to list the entire bucket on load, even though a prefix has been specified.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:3 max@…]:

Not sure why this was closed, as this issue persists. For various security reasons, I need to give users permission to list only specific directories. This can't be accomplished by narrowing the Resource because the ListBucket ACL applies only to buckets. CyberDuck attempts to list the entire bucket on load, even though a prefix has been specified.

Can you elaborate what you mean by list the entire bucket. We list all buckets if no default path has been set in the bookmark or list the default bookmark path otherwise on login.

@cyberduck
Copy link
Collaborator Author

c1a2ae1 commented

Here's what my policy looks like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-bucket-name",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "path/to/folder/"
                }
            }
        },
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-bucket-name/path/to/folder/*"
        }
    ]
}

The first statement allows bucket actions on folder and the second statement allows object actions on folder. The result is that users with this policy can only read/write/list one directory in my-bucket-name.

Using CyberDuck, I click "Open Connection", enter my Access Key ID and Secret Access Key, and in "More Options", enter the path to the directory: my-bucket-name/path/to/folder. When I click "Connect", I get an error:

Listing directory folder failed.[[br]]
Access Denied: Please contact your web hosting service provider for assistance.

My best guess is that CyberDuck attempts to list the entire bucket (as opposed to the one directory) and fails (since listing is restricted to using that prefix).

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Please post the transcript from the log drawer (⌘-L).

@cyberduck
Copy link
Collaborator Author

@dkocher commented

I just noted that you are reporting this issue against version 4.2.1. Please upgrade to the latest release and reopen this issue if the problem persists.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dkocher dkocher

Labels
bug s3 AWS S3 Protocol Implementation worksforme
Projects
None yet
Milestone
4.7
Development

No branches or pull requests
2 participants
@dkocher @cyberduck