Cyberduck Mountain Duck CLI

#8801 closed defect (worksforme)

Versioning request causes S3 Upload to break for IAM "upload only" account

Reported by: tempic Owned by: dkocher
Priority: normal Milestone: 4.7.1
Component: s3 Version: 4.7
Severity: normal Keywords:
Cc: Architecture:
Platform: Windows 8.1

Description

I have an IAM account configured with only List (ListAllMyBuckets, GetBucketLocation, ListBucket) and PutObject permissions. I want to have an account that just permits uploads.

When I try using Cyberduck, I get an 'access denied' error. I am able to use the account with S3Fox (a firefox plugin) to upload files, so I don't think it's a permissions issue.

I suspect this is because Cyberduck makes a request to '/?versioning' before starting the upload. Is there any way to disable that request (since we don't have versioning enabled?) ...or to assume that versioning is disabled if the request to '/?versioning' returns a "403 Forbidden"?

Attachments (1)

cyberduck.log (283.8 KB) - added by tempic on May 4, 2015 at 8:17:24 PM.
Line 837 shows the 403 error I'm receiving

Download all attachments as: .zip

Change History (6)

comment:1 Changed on May 4, 2015 at 8:11:45 PM by dkocher

  • Milestone set to 4.8

Please post the transcript from the log drawer of the Transfers window. Choose ⌘-L on Mac or right-click the toolbar from the Transfers window and choose Log on Windows

comment:2 Changed on May 4, 2015 at 8:16:13 PM by dkocher

We should handle missing permissions to read versioning status just fine and assume no versioning support since r12517.

Changed on May 4, 2015 at 8:17:24 PM by tempic

Line 837 shows the 403 error I'm receiving

comment:3 Changed on May 4, 2015 at 8:19:44 PM by tempic

Hi, thanks for your response. I have attached the Debug log since the Log Drawer doesn't show anything when I attempt to upload a file. I assumed the problem was the 403 error I'm receiving on line 837, but there's a good chance I'm mistaken :)

Any other advice you could suggest on how to track down what the issue is would be appreciated

comment:4 Changed on May 4, 2015 at 8:32:52 PM by dkocher

This log output shows that the actual PUT request is failing with a 403 response.

1546	2015-05-04 15:35:43,817 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 >> PUT /event_footage_raw%2Ftest_eventx%2Fmvi_short2.mp4 HTTP/1.1
1547	2015-05-04 15:35:43,817 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 >> Date: Mon, 04 May 2015 19:35:43 GMT
1548	2015-05-04 15:35:43,817 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 >> Expect: 100-continue
1549	2015-05-04 15:35:43,817 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 >> Content-Type: video/mp4
1550	2015-05-04 15:35:43,817 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 >> Authorization: AWS AKIAI6OEDVHQYINV54IQ:Z2QDsouraIdcRwl+aStDAT6L524=
1551	2015-05-04 15:35:43,817 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 >> Content-Length: 226589547
1552	2015-05-04 15:35:43,817 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 >> Host: connectsports-video.s3.amazonaws.com:443
1553	2015-05-04 15:35:43,817 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 >> Connection: Keep-Alive
1554	2015-05-04 15:35:43,817 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 >> User-Agent: Cyberduck/4.7 (17432).17432 (Windows 8/6.2) (x86)
1555	2015-05-04 15:35:43,848 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 << HTTP/1.1 403 Forbidden
1556	2015-05-04 15:35:43,848 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 << x-amz-request-id: 3161D4A81554963E
1557	2015-05-04 15:35:43,848 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 << x-amz-id-2: ect2tNigGBhzmCWsovTh25UKFzJYWzveSjE+Z0RgLr7JxyAPz1DhqpRA3IEsMYGG
1558	2015-05-04 15:35:43,848 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 << Content-Type: application/xml
1559	2015-05-04 15:35:43,848 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 << Transfer-Encoding: chunked
1560	2015-05-04 15:35:43,848 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 << Date: Mon, 04 May 2015 19:35:40 GMT
1561	2015-05-04 15:35:43,848 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 << Connection: close
1562	2015-05-04 15:35:43,848 [http-1] DEBUG org.apache.http.headers - http-outgoing-3 << Server: AmazonS3

comment:5 Changed on May 4, 2015 at 8:34:42 PM by dkocher

  • Resolution set to worksforme
  • Status changed from new to closed

Please verify your policy with IAM Policy Simulator.

Note: See TracTickets for help on using tickets.