Bug #49780
closedassumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object
0%
Description
I am using 15.2.7 on CentOS 8, and am using awscli
1. If I access a bucket with the bucket owner credentials, and hence full access, including s3:ListBucket, and execute a head-object on a non-existent object, I get 404 Not Found. This is expected
2. If I access a bucket as a user without any permissions to the bucket, but first assuming a role via (sts assume-role) that grants me s3:* on the bucket, which includes s3:ListBucket, I get 403 Forbidden. (If the object exists I get the header back).
On AWS, using the same role and policy, (adjusting for usernames and bucket names) if I do #2, I get 404 Not Found, which is what I expect, given that I have s3:ListBucket on that bucket
According to the AWS documentation at: https://docs.aws.amazon.com/cli/latest/reference/s3api/head-object.html , If I have s3:ListBucket, which the role policy gives me, then I should get 404 Not found if I do head-object on a non-existent object.
Thus this appears to be a bug. I found the following bug from the past that seems similar but for the bucket owner and/or bucket attached policies: https://tracker.ceph.com/issues/38638
This is causing our software to not work on Ceph but fine on AWS.
I have attached a doctored sample policy that has s3:*, originally retrieved via aws s3api get-role-policy
Files