[Cyberduck-trac] [Cyberduck] #6952: S3 restricted folder access denied permissions
Cyberduck
trac at trac.cyberduck.io
Tue Mar 24 20:36:03 UTC 2015
#6952: S3 restricted folder access denied permissions
---------------------------+-------------------------
Reporter: detail | Owner: dkocher
Type: defect | Status: reopened
Priority: normal | Milestone:
Component: s3 | Version: 4.2.1
Severity: normal | Resolution:
Keywords: | Architecture: Intel
Platform: Mac OS X 10.7 |
---------------------------+-------------------------
Comment (by max@…):
Here's what my policy looks like:
{{{
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": "path/to/folder/"
}
}
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket-name/path/to/folder/*"
}
]
}
}}}
The first statement allows bucket actions on {{{folder}}} and the second
statement allows object actions on {{{folder}}}. The result is that users
with this policy can only read/write/list one directory in {{{my-bucket-
name}}}.
Using CyberDuck, I click "Open Connection", enter my Access Key ID and
Secret Access Key, and in "More Options", enter the path to the directory:
{{{my-bucket-name/path/to/folder}}}. When I click "Connect", I get an
error:
Listing directory folder failed.[[br]]
Access Denied: Please contact your web hosting service provider for
assistance.
My best guess is that CyberDuck attempts to list the entire bucket (as
opposed to the one directory) and fails (since listing is restricted to
using that prefix).
--
Ticket URL: <https://trac.cyberduck.io/ticket/6952#comment:5>
Cyberduck <http://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list