[Cyberduck-trac] [Cyberduck] #9741: Unable to download resources with IAM secruity

Cyberduck trac at trac.cyberduck.io
Tue Oct 25 20:14:53 UTC 2016 

#9741: Unable to download resources with IAM secruity
--------------------------------+----------------------------
    Reporter:  paul.christmann  |      Owner:
        Type:  defect           |     Status:  new
    Priority:  normal           |  Milestone:
   Component:  s3               |    Version:
    Severity:  blocker          |   Keywords:
Architecture:                   |   Platform:  Mac OS X 10.10
--------------------------------+----------------------------
 After upgrading to 5.2.0.21327 build, I was unable to download resources
 secured by IAM policies (though I was able to list objects as expected).

 I reverted to build 5.1.3.20962 and the downloads worked correctly.  I
 also verified the ability to download via command line tools.

 We use IAM policies to secure access to resources by prefix within our
 buckets.  For example, we have a policy like this:
 {{{
 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Action": [ "s3:ListBucket"],
             "Effect": "Allow",
             "Resource": ["arn:aws:s3:::obfuscated"],
             "Condition": { "StringLike": { "s3:prefix":
 ["more/obfuscation/*"]}}
         },
         {
             "Effect": "Allow",
             "Action": ["s3:*"],
             "Resource": ["arn:aws:s3:::obfuscated/more/obfuscation/*"]
         }
     ]
 }
 }}}

 What I end up seeing in the logs suggests it might be the acceleration
 support added in this build:
 {{{
 GET /?accelerate HTTP/1.1
 Date: Tue, 25 Oct 2016 19:45:09 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256: XXX
 Host: obfuscated.s3.amazonaws.com
 x-amz-date: 20161025T194509Z
 Authorization:
 ******************************************************************************************************************************************************************************************************************************************
 Connection: Keep-Alive
 User-Agent: Cyberduck/5.2.0.21317 (Mac OS X/10.10.5) (x86_64)
 HTTP/1.1 403 Forbidden
 x-amz-request-id: XXXX
 x-amz-id-2: XXXX
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Date: Tue, 25 Oct 2016 19:45:10 GMT
 Server: AmazonS3
 }}}

--
Ticket URL: <https://trac.cyberduck.io/ticket/9741>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list