[Cyberduck-trac] [Cyberduck] #9322: S3 ACLs can't be changed in third-party buckets (due to incorrect Owner specification?)

Cyberduck trac at trac.cyberduck.io
Mon Feb 29 21:07:58 UTC 2016

#9322: S3 ACLs can't be changed in third-party buckets (due to incorrect Owner
    Reporter:  bretmartin  |      Owner:
        Type:  defect      |     Status:  new
    Priority:  normal      |  Milestone:
   Component:  core        |    Version:  Nightly Build
    Severity:  normal      |   Keywords:
Architecture:              |   Platform:

 Thank you for your work on Cyberduck. We have found it useful at my
 workplace as an S3 transfer client for external collaborators.

 When working with a bucket that we own, providing access to a third party
 using an IAM user in their account, we've found that the third party IAM
 user is unable to change ACLs on objects in our bucket, yielding this

 ''Cannot change permissions of Creating an AWS IAM user to share data with
 H3 Biomedicine via Amazon S3.pdf.
 Access Denied. Please contact your web hosting service provider for

 even though their IAM policy and our bucket policy both permit the ACL
 change. With the same third party IAM credentials, these ACL changes are
 possible using the AWS CLI.

 By turning on Cyberduck debug logging, I found that the ACL change request
 included the canonical ID of the third party account in the <Owner>
 element of the access control policy. However, the owner of the object is
 our account, not the third party account. I believe this is the reason for
 the "Access Denied" error from S3 and the difference in behavior from the

 I found this behavior to be the same under 4.6.5, 4.8.2, and 5.0 (19065).

 Please let me know if I can provide any additional information or
 facilitate testing (for example, if you need a third party S3 bucket to
 test with).



Ticket URL: <https://trac.cyberduck.io/ticket/9322>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list