Cyberduck Mountain Duck CLI

Opened 22 months ago

Closed 22 months ago

Last modified 22 months ago

#9741 closed defect (fixed)

Unable to download resources with IAM security missing s3:GetAccelerateConfiguration permission

Reported by: paul.christmann Owned by:
Priority: normal Milestone: 5.2.1
Component: s3 Version: 5.1
Severity: blocker Keywords:
Cc: Architecture:
Platform: Mac OS X 10.10

Description

After upgrading to 5.2.0.21327 build, I was unable to download resources secured by IAM policies (though I was able to list objects as expected).

I reverted to build 5.1.3.20962 and the downloads worked correctly. I also verified the ability to download via command line tools.

We use IAM policies to secure access to resources by prefix within our buckets. For example, we have a policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [ "s3:ListBucket"],
            "Effect": "Allow",
            "Resource": ["arn:aws:s3:::obfuscated"],
            "Condition": { "StringLike": { "s3:prefix": ["more/obfuscation/*"]}}
        },
        {
            "Effect": "Allow",
            "Action": ["s3:*"],
            "Resource": ["arn:aws:s3:::obfuscated/more/obfuscation/*"]
        }
    ]
}

What I end up seeing in the logs suggests it might be the acceleration support added in this build:

GET /?accelerate HTTP/1.1
Date: Tue, 25 Oct 2016 19:45:09 GMT
x-amz-request-payer: requester
x-amz-content-sha256: XXX
Host: obfuscated.s3.amazonaws.com
x-amz-date: 20161025T194509Z
Authorization: ******************************************************************************************************************************************************************************************************************************************
Connection: Keep-Alive
User-Agent: Cyberduck/5.2.0.21317 (Mac OS X/10.10.5) (x86_64)
HTTP/1.1 403 Forbidden
x-amz-request-id: XXXX
x-amz-id-2: XXXX
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 25 Oct 2016 19:45:10 GMT
Server: AmazonS3

Change History (9)

comment:1 Changed 22 months ago by dkocher

  • Milestone set to 6.0
  • Resolution set to fixed
  • Status changed from new to closed
  • Version set to 5.1

In r21790. Please update to the latest snapshot build available.

comment:2 follow-up: Changed 22 months ago by paul.christmann

Thank you! Sorry if I missed a bug logging this, I tried searching around, but nothing kicked out. And yes, behavior worked as expected in snapshot build - Version 5.3.0 (21327).

Last edited 22 months ago by paul.christmann (previous) (diff)

comment:3 in reply to: ↑ 2 Changed 22 months ago by dkocher

Replying to paul.christmann:

Thank you! Sorry if I missed a bug logging this, I tried searching around, but nothing kicked out. And yes, behavior worked as expected in snapshot build - Version 5.3.0 (21327).

Thanks for reporting the issue. No duplicate bug was previously raised.

comment:4 Changed 22 months ago by dkocher

  • Milestone changed from 6.0 to 5.2.1

comment:5 Changed 22 months ago by dkocher

  • Summary changed from Unable to download resources with IAM secruity to Unable to download resources with IAM security

comment:6 Changed 22 months ago by dkocher

#9743 closed as duplicate.

comment:7 Changed 22 months ago by dkocher

Please update to the latest snapshot build available.

comment:8 Changed 22 months ago by dkocher

  • Summary changed from Unable to download resources with IAM security to Unable to download resources with IAM security missing s3:GetAccelerateConfiguration permission
Note: See TracTickets for help on using tickets.
swiss made software