[Cyberduck-trac] [Cyberduck] #9322: S3 ACLs can't be changed in third-party buckets (due to incorrect Owner specification?)
Cyberduck
trac at trac.cyberduck.io
Mon Feb 29 21:07:58 UTC 2016
#9322: S3 ACLs can't be changed in third-party buckets (due to incorrect Owner
specification?)
---------------------------+---------------------------
Reporter: bretmartin | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: core | Version: Nightly Build
Severity: normal | Keywords:
Architecture: | Platform:
---------------------------+---------------------------
Hello/Grüezi,
Thank you for your work on Cyberduck. We have found it useful at my
workplace as an S3 transfer client for external collaborators.
When working with a bucket that we own, providing access to a third party
using an IAM user in their account, we've found that the third party IAM
user is unable to change ACLs on objects in our bucket, yielding this
error:
''Cannot change permissions of Creating an AWS IAM user to share data with
H3 Biomedicine via Amazon S3.pdf.
Access Denied. Please contact your web hosting service provider for
assistance.''
even though their IAM policy and our bucket policy both permit the ACL
change. With the same third party IAM credentials, these ACL changes are
possible using the AWS CLI.
By turning on Cyberduck debug logging, I found that the ACL change request
included the canonical ID of the third party account in the <Owner>
element of the access control policy. However, the owner of the object is
our account, not the third party account. I believe this is the reason for
the "Access Denied" error from S3 and the difference in behavior from the
AWS CLI.
I found this behavior to be the same under 4.6.5, 4.8.2, and 5.0 (19065).
Please let me know if I can provide any additional information or
facilitate testing (for example, if you need a third party S3 bucket to
test with).
Thanks,
--Bret
--
Ticket URL: <https://trac.cyberduck.io/ticket/9322>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list