Bug #49780
closedassumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object
0%
Description
I am using 15.2.7 on CentOS 8, and am using awscli
1. If I access a bucket with the bucket owner credentials, and hence full access, including s3:ListBucket, and execute a head-object on a non-existent object, I get 404 Not Found. This is expected
2. If I access a bucket as a user without any permissions to the bucket, but first assuming a role via (sts assume-role) that grants me s3:* on the bucket, which includes s3:ListBucket, I get 403 Forbidden. (If the object exists I get the header back).
On AWS, using the same role and policy, (adjusting for usernames and bucket names) if I do #2, I get 404 Not Found, which is what I expect, given that I have s3:ListBucket on that bucket
According to the AWS documentation at: https://docs.aws.amazon.com/cli/latest/reference/s3api/head-object.html , If I have s3:ListBucket, which the role policy gives me, then I should get 404 Not found if I do head-object on a non-existent object.
Thus this appears to be a bug. I found the following bug from the past that seems similar but for the bucket owner and/or bucket attached policies: https://tracker.ceph.com/issues/38638
This is causing our software to not work on Ceph but fine on AWS.
I have attached a doctored sample policy that has s3:*, originally retrieved via aws s3api get-role-policy
Files
Updated by Chris Durham about 3 years ago
Note: I also just tried (on Ceph),
aws s3 cp s3://bucket/non-existent-file.txt non-existent-file.txt
after assuming the role.
I get a 403 Forbidden, as apparently the 'cp' command does head-object first. As such, with s3:ListBucket implied by s3:*), I would expect a 404 Not Found.
Updated by Casey Bodley about 3 years ago
- Assignee set to Pritha Srivastava
- Tags set to role
Updated by Casey Bodley about 3 years ago
- Status changed from New to Fix Under Review
- Assignee deleted (
Pritha Srivastava) - Backport set to pacific octopus nautilus
- Pull request ID set to 40631
Updated by Casey Bodley almost 3 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Backport Bot almost 3 years ago
- Copied to Backport #50640: octopus: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object added
Updated by Backport Bot almost 3 years ago
- Copied to Backport #50641: nautilus: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object added
Updated by Backport Bot almost 3 years ago
- Copied to Backport #50642: pacific: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object added
Updated by hoan nv almost 3 years ago
Hi all.
PR https://github.com/ceph/s3-tests/pull/389 has role-policy
role_policy = '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Principal":"*","Resource":"arn:aws:s3:::*"}}'
I patched ceph 14.2.21 and tested role-policy :
role_policy = '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::bucket-1","arn:aws:s3:::bucket-1/*"]}}'
It not working.
I changed role-policy to :
role_policy = '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Principal":"*","Resource":["arn:aws:s3:::bucket-1","arn:aws:s3:::bucket-1/*"]}}'
It works.
Why "Principal":"*" must be include policy.
Thanks.
Updated by Chris Durham over 2 years ago
I tested this on octopus 15.2.14. Without Principal: "*" in the role policy, I still get a 403 when trying to access an object that doesn't exist after assuminmg a role with the proper s3 permissions.
If I add Principal: "*", I get a 404, which is what I would expect for a non-existent object after assuming the role
On pacific, 16.2.5, I still get a 403 on a non-existent object whether Principal is in the role policy or not... I expect a 404.
On AWS I DO NOT have to add the Principal: "*" to get this to work!
Updated by Chris Durham over 2 years ago
ok, i see from https://tracker.ceph.com/issues/50642 that this is scheduled for pacific 16.2.6. But the difference with AWS above remains. Thanks
Updated by Backport Bot over 1 year ago
- Tags changed from role to role backport_processed
Updated by Konstantin Shalygin over 1 year ago
- Status changed from Pending Backport to Resolved