[Cyberduck-trac] [Cyberduck] #9322: S3 ACLs can't be changed in third-party buckets (due to incorrect Owner specification?)

Cyberduck trac at trac.cyberduck.io
Tue Mar 1 16:48:37 UTC 2016


#9322: S3 ACLs can't be changed in third-party buckets (due to incorrect Owner
specification?)
------------------------+------------------------------
 Reporter:  bretmartin  |         Owner:  dkocher
     Type:  defect      |        Status:  assigned
 Priority:  normal      |     Milestone:  5.0
Component:  s3          |       Version:  Nightly Build
 Severity:  normal      |    Resolution:
 Keywords:              |  Architecture:
 Platform:              |
------------------------+------------------------------

Comment (by bretmartin):

 I have created bucket `bretmartin-cyberduck-trac-9322` with the following
 bucket policy:
 {{{
 {
         "Version": "2012-10-17",
         "Statement": [
                 {
                         "Sid": "https://trac.cyberduck.io/ticket/9322",
                         "Effect": "Allow",
                         "Principal": {
                                 "AWS": [
 "arn:aws:iam::189584543480:user/TRAC-9322",
 "arn:aws:iam::597082535337:user/bam"
                                 ]
                         },
                         "Action": "s3:*",
                         "Resource": [
                                 "arn:aws:s3:::bretmartin-cyberduck-
 trac-9322",
                                 "arn:aws:s3:::bretmartin-cyberduck-
 trac-9322/*"
                         ]
                 }
         ]
 }
 }}}

 `...:user/bam` is also a third party IAM user from outside the account
 that owns this bucket. Using that user in Cyberduck 5.0 (19065), I did the
 following:
 * connected to S3 specifying path `/bretmartin-cyberduck-trac-9322` (since
 it is outside the account of the connecting IAM user)
 * uploaded `test.txt` successfully
  * this object had a single ACL entry granting `FULL_CONTROL` to the third
 party account (not the bucket owner) -- this is expected
 * '''Command-I > Permissions''' on object `test.txt`, try to add
 `FULL_CONTROL` ACL entry by Amazon Customer Email Address, supply
 `bam at miranda.org` (email address for the bucket owner account)
  * yields error: Cannot change permissions of test.txt. Access Denied.
 Please contact your web hosting service provider for assistance. [ Cancel
 ] [ Try Again ]

 I will run this test again in a moment with debug logging on and supply
 relevant excerpts.

-- 
Ticket URL: <https://trac.cyberduck.io/ticket/9322#comment:5>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows


More information about the Cyberduck-trac mailing list