Bug #47809
closedCannot perform server-side copy using STS credentials
100%
Description
When having obtained temporary credentials using STS (AssumeRole), I can use these temp credentials to copy files from local machine to ceph and vice versa, but I cannot copy files within a bucket (server-side copy). When attempting the same server-side copy operation using the permanent credentials which were used in calling the AssumeRole command, it succeeds.
The AssumeRolePolicy document of the role is:
{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam:::user/129-9bef358e31a44f85b8a84880c459def9\"},\"Action\":\"sts:AssumeRole\"}]}
The permission policy attached to the role is (I've made this as permissive as possible to try to fix the problem without success):
{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":\"arn:aws:s3:::*\"}}
The request and response when attempting the server-side copy are shown here:
2020/09/23 16:26:49 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/09/23 16:26:49 DEBUG : HTTP REQUEST (req 0xc0006e8200)
2020/09/23 16:26:49 DEBUG : PUT /129-73b1a5466f424d33b39d5b616fb39166/134/18/68copy/home/test/Documents/Testing/rsyncTestingB/test1/loadings/test1.txt HTTP/1.1
Host: redacted
User-Agent: rclone/v1.52.2-232-gff843516-beta
Content-Length: 0
Authorization: XXXX
X-Amz-Acl: private
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Copy-Source: 129-73b1a5466f424d33b39d5b616fb39166/134/18/68/home/test/Documents/Testing/rsyncTestingB/test1/loadings/test1.txt
X-Amz-Date: 20200923T142649Z
X-Amz-Metadata-Directive: COPY
X-Amz-Security-Token: redacted=
Accept-Encoding: gzip
2020/09/23 16:26:49 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2020/09/23 16:26:49 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2020/09/23 16:26:49 DEBUG : HTTP RESPONSE (req 0xc0006e8200)
2020/09/23 16:26:49 DEBUG : HTTP/2.0 403 Forbidden
Content-Length: 250
Accept-Ranges: bytes
Content-Type: application/xml
Date: Wed, 23 Sep 2020 14:26:49 GMT
X-Amz-Request-Id: tx0000000000000000001de-005f6b5b29-442aa9-default
<Error><Code>AccessDenied</Code><BucketName>129-73b1a5466f424d33b39d5b616fb39166</BucketName><RequestId>tx0000000000000000001de-005f6b5b29-442aa9-default</RequestId><HostId>442aa9-default-default</HostId></Error>
2020/09/23 16:26:49 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
In case it helps, as can be seen in the request, I am using rclone for doing the actual transfer.
Updated by Pritha Srivastava over 3 years ago
Hi Christoph,
Is it possible for you to provide logs from RGW?
Thanks,
Pritha
Updated by Christoph Tonsing over 3 years ago
Hi Pritha,
yes, I think I should be able to. If you could just provide some guidance regarding which logs you'd like to see and where I should be able to find them. I am not too familiar with this...
It should be there in /var/log/ceph and with the file name radosgw.log or rgw.log. But if you do not have debug log level set to 20 for rgw, then it wont help me. I'll try to reproduce it at my end.
Thanks,
Pritha
Updated by Pritha Srivastava over 3 years ago
- Pull request ID set to 37866
Updated by Pritha Srivastava over 3 years ago
- Status changed from New to In Progress
- Backport set to octopus
Updated by Christoph Tonsing over 3 years ago
Christoph Tonsing wrote:
Hi Pritha,
yes, I think I should be able to. If you could just provide some guidance regarding which logs you'd like to see and where I should be able to find them. I am not too familiar with this...
It should be there in /var/log/ceph and with the file name radosgw.log or rgw.log. But if you do not have debug log level set to 20 for rgw, then it wont help me. I'll try to reproduce it at my end.
Thanks,
Pritha
Sorry Pritha, I never saw that you responded on my question as I didn't get any notification... I'm glad it seems you've managed to find the problem in the meantime!
Updated by Matt Benjamin almost 3 years ago
- Status changed from In Progress to Pending Backport
Updated by Backport Bot almost 3 years ago
- Copied to Backport #51442: octopus: Cannot perform server-side copy using STS credentials added
Updated by Pritha Srivastava over 2 years ago
- Backport changed from octopus to octopus pacific
Updated by Backport Bot over 2 years ago
- Copied to Backport #52783: pacific: Cannot perform server-side copy using STS credentials added
Updated by Casey Bodley over 2 years ago
- Has duplicate Bug #52608: aws s3 sync does not work with sts roles, but works fine with AWS added
Updated by Casey Bodley over 2 years ago
- Related to Bug #53178: Using STS roles, I cannot move an object wtihin a bucket that I have full access to in the role added
Updated by Konstantin Shalygin about 1 year ago
- Status changed from Pending Backport to Resolved
- % Done changed from 0 to 100