[Cyberduck-trac] [Cyberduck] #10488: Cyberduck ignores S3 upload encryption policy when creating a Cryptomator Vault. User unable to create vault in bucket requiring `s3:x-amz-server-side-encryption": "AES256`
Cyberduck
trac at cyberduck.io
Sun Oct 7 19:34:22 UTC 2018
#10488: Cyberduck ignores S3 upload encryption policy when creating a Cryptomator
Vault. User unable to create vault in bucket requiring `s3:x-amz-server-
side-encryption": "AES256`
-----------------------------+----------------------
Reporter: a.cyberduc.user | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: s3 | Version: 6.8.0
Severity: normal | Resolution:
Keywords: | Architecture:
Platform: macOS 10.14 |
-----------------------------+----------------------
Description changed by a.cyberduc.user:
Old description:
> Hi there. It took a bit of testing to narrow this one down, but I
> believe you will be able to reproduce this issue pretty easily.
>
> Me:
> macOS 10.14 (18A391)
> Cyberduck 6.7.0 (28613)
>
> The issue:
>
> I have an AWS user with Administrator privlidges.
> This user can create and upload files at will via either the AWS Web UI
> or CyberDuck.
> This user is not able to create a new Cryptomator vault, using Cyberduck.
>
> How to reproduce:
> 0. make sure the S3 > Encryption setting is set to `SS3-S3 (AES 256)` in
> CyberDuck settings
> 1. create an IAM user with the Administrator policy (specified below)
> 2. create a S3 bucket with the Bucket Policy (also, below)
> 3. configure Cyberduck to connect to the bucket with the user key/secret
> from step 1
> 4. attempt to create a folder in bucket; this should work
> 5. attempt to create a new encrypted vault; this should faile.
>
> Here's the bucket policy i am using. `MY_BUCKET_NAME` replaces the
> actual bucket name.
>
> ```
> {
> "Version": "2012-10-17",
> "Id": "force encrypt at rest for date",
> "Statement": [
> {
> "Sid": "DenyIncorrectEncryptionHeader",
> "Effect": "Deny",
> "Principal": "*",
> "Action": "s3:PutObject",
> "Resource": "arn:aws:s3:::MY_BUCKET_NAME/*",
> "Condition": {
> "StringNotEquals": {
> "s3:x-amz-server-side-encryption": "AES256"
> }
> }
> },
> {
> "Sid": "DenyUnEncryptedObjectUploads",
> "Effect": "Deny",
> "Principal": "*",
> "Action": "s3:PutObject",
> "Resource": "arn:aws:s3:::MY_BUCKET_NAME/*",
> "Condition": {
> "Null": {
> "s3:x-amz-server-side-encryption": "true"
> }
> }
> }
> ]
> }
> ```
>
> Here's the User policy I am using; this is akin to root level access
>
> ```
> {
> "Version": "2012-10-17",
> "Statement": [
> {
> "Effect": "Allow",
> "Action": "*",
> "Resource": "*"
> }
> ]
> }
> ```
>
> Here's the Log from Cyberduck when connecting to the S3 bookmark with the
> Admin account detailed above. I am browsing a few directories deep to the
> location where I would like to create the Cryptomator vault:
>
> ```
> GET / HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:08 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: s3.amazonaws.com
> x-amz-date: 20181007T191708Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> 97ExqV0ZxTT3738rfjrj11aao9WfkncVQHeeplQ+dIjXKi0T7lEld0TMynLnmiivt0GV6ljAwwc=
> x-amz-request-id: 21444FBD145A6CEF
> Date: Sun, 07 Oct 2018 19:17:09 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET / HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:08 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: s3.amazonaws.com
> x-amz-date: 20181007T191708Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> JnA/A9g9exOhYkmcaUXZ9KvSF1KkLqw7yYTjyetrv3R/uONMSF2pC4Hx2HpCXf4N5yDOBXA1no4=
> x-amz-request-id: 3ECF6D6D85C38D47
> Date: Sun, 07 Oct 2018 19:17:09 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET / HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:08 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: s3.amazonaws.com
> x-amz-date: 20181007T191708Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> VC8tDFXQmPoePQ8mqJGd8HEg8IYT81qEJ/Wbi8yZRfM/r3yAJN1j1XKUe4wXKniFJ53YBjYX8JE=
> x-amz-request-id: EFC47358A535E5C9
> Date: Sun, 07 Oct 2018 19:17:09 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?location HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:09 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191709Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 400 Bad Request
> x-amz-request-id: 52BB6CC9CE3AC892
> x-amz-id-2:
> vYqxkFHosnfruN2rgqueimgCRGJa6kbqWujJms4SAWPlKGVLx3zSORRnU/3njjU9xOkmyjD6Wzk=
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Date: Sun, 07 Oct 2018 19:17:08 GMT
> Connection: close
> Server: AmazonS3
> GET /?location HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:09 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191709Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> cpVbjy2IVm0bBBpE6f0kBdSd5rZICREAINp4q1h6Xe0KYpRrirdiyuJanbhwCBnebAUDBdwU5ck=
> x-amz-request-id: 0D441CA5B15F5A06
> Date: Sun, 07 Oct 2018 19:17:10 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?versioning HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:39 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191739Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> NgI8pq3aIfcB8E9J/uYQB7b7s/ShEpN5vCtxqNRVxxknCtY5J/DhlgxYCiHrmLwWhXSy70TOhQ0=
> x-amz-request-id: 3E745C0AA14E068C
> Date: Sun, 07 Oct 2018 19:17:40 GMT
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?max-keys=1000&versions&prefix&delimiter=%2F HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:39 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191739Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> LDOQYBUQ6Sf0upXWEw50XjGajrxBp9P8WhnK06A3rwjYpxQjoonA9/8zBbh1wc2ARpzmJ6nAbB0=
> x-amz-request-id: 1013309AC1494B4A
> Date: Sun, 07 Oct 2018 19:17:40 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?uploads HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:39 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191739Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> 25hm9HLudZxuLsQa7TYRQvudTQ7jfBpyJhdozM7elEa7Z5DSrB2A1nvGTH1DuJgc+7mV0xR3MAg=
> x-amz-request-id: 8FE7B857AF907F57
> Date: Sun, 07 Oct 2018 19:17:40 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
> HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:42 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191742Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> EqKTKvsUoGrGyMblZblrP+J1e4Hwyb4D+2ranblNBXpXXGTUTQNMvJMCKe00/P9q2Umiu6ZB3Mk=
> x-amz-request-id: DE75085D8F1512AC
> Date: Sun, 07 Oct 2018 19:17:43 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
> Date: Sun, 07 Oct 2018 19:17:42 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191742Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> Ukr6HK9nJb0XB0Axc/q0FwqvXipt1RA7d7HvR9vneairun8UTBoZI1UiUp2VFL9hDYGCIlA9meA=
> x-amz-request-id: 7DED0B45902B7187
> Date: Sun, 07 Oct 2018 19:17:43 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
>
> ```
>
> And here's me trying to create a `test-folder`. This action susceeds.
>
> ```
> PUT /MY_BUCKET_PREFIX/test-folder/ HTTP/1.1
> Date: Sun, 07 Oct 2018 19:18:54 GMT
> Expect: 100-continue
> Content-Type: application/x-directory
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> x-amz-server-side-encryption: AES256
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191854Z
> Authorization: ********
> Content-Length: 0
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> r61qLybeBa7YE1IVtwaTTha5af6zK2NVhQXF/pB1fTJ47VALfz5SK5LTEID8qm7lh9Pom3usfVI=
> x-amz-request-id: B95A0EB56F13EE9C
> Date: Sun, 07 Oct 2018 19:18:55 GMT
> x-amz-server-side-encryption: AES256
> ETag: "d41d8cd98f00b204e9800998ecf8427e"
> Content-Length: 0
> Server: AmazonS3
> GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
> HTTP/1.1
> Date: Sun, 07 Oct 2018 19:18:55 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191855Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> TzzkuOrStHg1L7L/GA7z6ASRbcGTyuDnlgYm4Xn31tQIBZweIGlPNyZDnS1RfC5PZ9e6Zrzy6E4=
> x-amz-request-id: 8671AE55F534C81C
> Date: Sun, 07 Oct 2018 19:18:56 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
> Date: Sun, 07 Oct 2018 19:18:55 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191855Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> cQM2bEUrwyxpDe4/F0Br5I9iCoHVaiKt9uwTIvB6VPioIQO2O58ZRBPuhIDaDq/ScoJNkWtPn/0=
> x-amz-request-id: B9B127003293E008
> Date: Sun, 07 Oct 2018 19:18:56 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> ```
>
> And here's the log from trying to create a `test-vault`. I get this error
> in Cyberduck:
> ```
> Upload test-vault failed.
> Access Denied. Please contact your web hosting service provider for
> assistance.
> ```
>
> And here's the connection log. I clicked `try again` once before clicking
> cancel:
> ```
> PUT /MY_BUCKET_PREFIX/test-vault/ HTTP/1.1
> Date: Sun, 07 Oct 2018 19:19:38 GMT
> Expect: 100-continue
> Content-Type: application/x-directory
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T191938Z
> Authorization: ********
> Content-Length: 0
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> PUT /MY_BUCKET_PREFIX/test-vault/ HTTP/1.1
> Date: Sun, 07 Oct 2018 19:20:18 GMT
> Expect: 100-continue
> Content-Type: application/x-directory
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T192018Z
> Authorization: ********
> Content-Length: 0
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
> HTTP/1.1
> Date: Sun, 07 Oct 2018 19:20:20 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T192020Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> MkFr74BriPUXzjLVe9jwyyAJ+02odaOLCiUbCGPIYrjiU89rZCZBAwJB157vp462bUVWQo4/l+M=
> x-amz-request-id: 9A3EBDB60F0255CB
> Date: Sun, 07 Oct 2018 19:20:21 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
> Date: Sun, 07 Oct 2018 19:20:20 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256:
> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: MY_BUCKET_NAME.s3.amazonaws.com
> x-amz-date: 20181007T192020Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
> HTTP/1.1 200 OK
> x-amz-id-2:
> IsBWnSdi/uuzk/UNzZWM0iGLOWOv1OPSho2l9fRLb8NOzPuToba253FgK9CibO/ST0Hp3f6MFT4=
> x-amz-request-id: 76375E460D298CED
> Date: Sun, 07 Oct 2018 19:20:21 GMT
> Content-Type: application/xml
> Transfer-Encoding: chunked
> Server: AmazonS3
> ```
>
> There is nothing particurally useful in `console.app` even after turning
> Cyberduck debugging mode on:
> ```
> default 12:19:28.792415 -0700 Cyberduck 27366555: RECEIVED OUT-
> OF-SEQUENCE NOTIFICATION: 307 vs 532, 512, <private>
> default 12:20:09.333915 -0700 Cyberduck 27366555: RECEIVED OUT-
> OF-SEQUENCE NOTIFICATION: 309 vs 536, 512, <private>
> default 12:20:15.921380 -0700 Cyberduck 27366555: RECEIVED OUT-
> OF-SEQUENCE NOTIFICATION: 311 vs 540, 512, <private>
> default 12:20:22.104317 -0700 Cyberduck Requesting
> sharingServicesForItems:<private> mask:6
> default 12:20:22.104550 -0700 Cyberduck
> filteredItemsFromItems:<private> [2057]--> <private>
> default 12:20:22.105861 -0700 Cyberduck Discover <private>
> default 12:20:22.123759 -0700 Cyberduck discovery complete: 3
> plugins
> default 12:20:22.124437 -0700 Cyberduck Discover done
> default 12:20:22.124644 -0700 Cyberduck Discover <private>
> default 12:20:22.144425 -0700 Cyberduck discovery complete: 4
> plugins
> default 12:20:22.144500 -0700 Cyberduck Discover done
> default 12:20:22.144642 -0700 Cyberduck services: <private>
> default 12:20:22.145180 -0700 Cyberduck Requesting
> sharingServicesForItems:<private> mask:6
> default 12:20:22.145425 -0700 Cyberduck
> filteredItemsFromItems:<private> [2057]--> <private>
> default 12:20:22.145947 -0700 Cyberduck Discover <private>
> default 12:20:22.153916 -0700 Cyberduck discovery complete: 3
> plugins
> default 12:20:22.154574 -0700 Cyberduck Discover done
> default 12:20:22.154618 -0700 Cyberduck Discover <private>
> default 12:20:22.164258 -0700 Cyberduck discovery complete: 4
> plugins
> default 12:20:22.164372 -0700 Cyberduck Discover done
> default 12:20:22.164552 -0700 Cyberduck services: <private>
> default 12:20:22.164968 -0700 Cyberduck Requesting
> sharingServicesForItems:<private> mask:6
> default 12:20:22.165115 -0700 Cyberduck
> filteredItemsFromItems:<private> [2057]--> <private>
> default 12:20:22.165515 -0700 Cyberduck Discover <private>
> default 12:20:22.173573 -0700 Cyberduck discovery complete: 3
> plugins
> default 12:20:22.174238 -0700 Cyberduck Discover done
> default 12:20:22.174298 -0700 Cyberduck Discover <private>
> default 12:20:22.184411 -0700 Cyberduck discovery complete: 4
> plugins
> default 12:20:22.184491 -0700 Cyberduck Discover done
> default 12:20:22.184633 -0700 Cyberduck services: <private>
> default 12:20:22.185144 -0700 Cyberduck Requesting
> sharingServicesForItems:<private> mask:6
> default 12:20:22.185333 -0700 Cyberduck
> filteredItemsFromItems:<private> [2057]--> <private>
> default 12:20:22.185877 -0700 Cyberduck Discover <private>
> default 12:20:22.193870 -0700 Cyberduck discovery complete: 3
> plugins
> default 12:20:22.194551 -0700 Cyberduck Discover done
> default 12:20:22.194606 -0700 Cyberduck Discover <private>
> default 12:20:22.205383 -0700 Cyberduck discovery complete: 4
> plugins
> default 12:20:22.205486 -0700 Cyberduck Discover done
> default 12:20:22.205676 -0700 Cyberduck services: <private>
> ```
>
> As soon as i remove the bucket policy, i have no issues creating the
> vault.
>
> It appears that Cyberduck is ignoring my settings for S3 uploads, under
> the `Encryption` headding.
>
> Please let me know what else you need from me in order to reproduce &
> fix.
>
> Thank you
New description:
Hi there. It took a bit of testing to narrow this one down, but I believe
you will be able to reproduce this issue pretty easily.
Me:
macOS 10.14 (18A391)
Cyberduck 6.7.0 (28613)
The issue:
I have an AWS user with Administrator privlidges.
This user can create and upload files at will via either the AWS Web UI or
CyberDuck.
This user is not able to create a new Cryptomator vault, using Cyberduck.
How to reproduce:
0. make sure the S3 > Encryption setting is set to `SS3-S3 (AES 256)` in
CyberDuck settings
1. create an IAM user with the Administrator policy (specified below)
2. create a S3 bucket with the Bucket Policy (also, below)
3. configure Cyberduck to connect to the bucket with the user key/secret
from step 1
4. attempt to create a folder in bucket; this should work
5. attempt to create a new encrypted vault; this should fail.
Here's the bucket policy i am using. {{{MY_BUCKET_NAME}}} replaces the
actual bucket name.
{{{
{
"Version": "2012-10-17",
"Id": "force encrypt at rest for date",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MY_BUCKET_NAME/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MY_BUCKET_NAME/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
}}}
Here's the User policy I am using; this is akin to root level access
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
```
Here's the Log from Cyberduck when connecting to the S3 bookmark with the
Admin account detailed above. I am browsing a few directories deep to the
location where I would like to create the Cryptomator vault:
```
GET / HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:08 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: s3.amazonaws.com
x-amz-date: 20181007T191708Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
97ExqV0ZxTT3738rfjrj11aao9WfkncVQHeeplQ+dIjXKi0T7lEld0TMynLnmiivt0GV6ljAwwc=
x-amz-request-id: 21444FBD145A6CEF
Date: Sun, 07 Oct 2018 19:17:09 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET / HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:08 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: s3.amazonaws.com
x-amz-date: 20181007T191708Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
JnA/A9g9exOhYkmcaUXZ9KvSF1KkLqw7yYTjyetrv3R/uONMSF2pC4Hx2HpCXf4N5yDOBXA1no4=
x-amz-request-id: 3ECF6D6D85C38D47
Date: Sun, 07 Oct 2018 19:17:09 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET / HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:08 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: s3.amazonaws.com
x-amz-date: 20181007T191708Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
VC8tDFXQmPoePQ8mqJGd8HEg8IYT81qEJ/Wbi8yZRfM/r3yAJN1j1XKUe4wXKniFJ53YBjYX8JE=
x-amz-request-id: EFC47358A535E5C9
Date: Sun, 07 Oct 2018 19:17:09 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?location HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:09 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191709Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 400 Bad Request
x-amz-request-id: 52BB6CC9CE3AC892
x-amz-id-2:
vYqxkFHosnfruN2rgqueimgCRGJa6kbqWujJms4SAWPlKGVLx3zSORRnU/3njjU9xOkmyjD6Wzk=
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Sun, 07 Oct 2018 19:17:08 GMT
Connection: close
Server: AmazonS3
GET /?location HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:09 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191709Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
cpVbjy2IVm0bBBpE6f0kBdSd5rZICREAINp4q1h6Xe0KYpRrirdiyuJanbhwCBnebAUDBdwU5ck=
x-amz-request-id: 0D441CA5B15F5A06
Date: Sun, 07 Oct 2018 19:17:10 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?versioning HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:39 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191739Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
NgI8pq3aIfcB8E9J/uYQB7b7s/ShEpN5vCtxqNRVxxknCtY5J/DhlgxYCiHrmLwWhXSy70TOhQ0=
x-amz-request-id: 3E745C0AA14E068C
Date: Sun, 07 Oct 2018 19:17:40 GMT
Transfer-Encoding: chunked
Server: AmazonS3
GET /?max-keys=1000&versions&prefix&delimiter=%2F HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:39 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191739Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
LDOQYBUQ6Sf0upXWEw50XjGajrxBp9P8WhnK06A3rwjYpxQjoonA9/8zBbh1wc2ARpzmJ6nAbB0=
x-amz-request-id: 1013309AC1494B4A
Date: Sun, 07 Oct 2018 19:17:40 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?uploads HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:39 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191739Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
25hm9HLudZxuLsQa7TYRQvudTQ7jfBpyJhdozM7elEa7Z5DSrB2A1nvGTH1DuJgc+7mV0xR3MAg=
x-amz-request-id: 8FE7B857AF907F57
Date: Sun, 07 Oct 2018 19:17:40 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:42 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191742Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
EqKTKvsUoGrGyMblZblrP+J1e4Hwyb4D+2ranblNBXpXXGTUTQNMvJMCKe00/P9q2Umiu6ZB3Mk=
x-amz-request-id: DE75085D8F1512AC
Date: Sun, 07 Oct 2018 19:17:43 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
Date: Sun, 07 Oct 2018 19:17:42 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191742Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
Ukr6HK9nJb0XB0Axc/q0FwqvXipt1RA7d7HvR9vneairun8UTBoZI1UiUp2VFL9hDYGCIlA9meA=
x-amz-request-id: 7DED0B45902B7187
Date: Sun, 07 Oct 2018 19:17:43 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
```
And here's me trying to create a `test-folder`. This action susceeds.
```
PUT /MY_BUCKET_PREFIX/test-folder/ HTTP/1.1
Date: Sun, 07 Oct 2018 19:18:54 GMT
Expect: 100-continue
Content-Type: application/x-directory
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-server-side-encryption: AES256
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191854Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
r61qLybeBa7YE1IVtwaTTha5af6zK2NVhQXF/pB1fTJ47VALfz5SK5LTEID8qm7lh9Pom3usfVI=
x-amz-request-id: B95A0EB56F13EE9C
Date: Sun, 07 Oct 2018 19:18:55 GMT
x-amz-server-side-encryption: AES256
ETag: "d41d8cd98f00b204e9800998ecf8427e"
Content-Length: 0
Server: AmazonS3
GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
HTTP/1.1
Date: Sun, 07 Oct 2018 19:18:55 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191855Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
TzzkuOrStHg1L7L/GA7z6ASRbcGTyuDnlgYm4Xn31tQIBZweIGlPNyZDnS1RfC5PZ9e6Zrzy6E4=
x-amz-request-id: 8671AE55F534C81C
Date: Sun, 07 Oct 2018 19:18:56 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
Date: Sun, 07 Oct 2018 19:18:55 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191855Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
cQM2bEUrwyxpDe4/F0Br5I9iCoHVaiKt9uwTIvB6VPioIQO2O58ZRBPuhIDaDq/ScoJNkWtPn/0=
x-amz-request-id: B9B127003293E008
Date: Sun, 07 Oct 2018 19:18:56 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
```
And here's the log from trying to create a `test-vault`. I get this error
in Cyberduck:
```
Upload test-vault failed.
Access Denied. Please contact your web hosting service provider for
assistance.
```
And here's the connection log. I clicked `try again` once before clicking
cancel:
```
PUT /MY_BUCKET_PREFIX/test-vault/ HTTP/1.1
Date: Sun, 07 Oct 2018 19:19:38 GMT
Expect: 100-continue
Content-Type: application/x-directory
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T191938Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
PUT /MY_BUCKET_PREFIX/test-vault/ HTTP/1.1
Date: Sun, 07 Oct 2018 19:20:18 GMT
Expect: 100-continue
Content-Type: application/x-directory
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T192018Z
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
GET /?max-keys=1000&versions&prefix=MY_BUCKET_PREFIX%2F&delimiter=%2F
HTTP/1.1
Date: Sun, 07 Oct 2018 19:20:20 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T192020Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
MkFr74BriPUXzjLVe9jwyyAJ+02odaOLCiUbCGPIYrjiU89rZCZBAwJB157vp462bUVWQo4/l+M=
x-amz-request-id: 9A3EBDB60F0255CB
Date: Sun, 07 Oct 2018 19:20:21 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /?prefix=MY_BUCKET_PREFIX%2F&uploads HTTP/1.1
Date: Sun, 07 Oct 2018 19:20:20 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: MY_BUCKET_NAME.s3.amazonaws.com
x-amz-date: 20181007T192020Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.14) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2:
IsBWnSdi/uuzk/UNzZWM0iGLOWOv1OPSho2l9fRLb8NOzPuToba253FgK9CibO/ST0Hp3f6MFT4=
x-amz-request-id: 76375E460D298CED
Date: Sun, 07 Oct 2018 19:20:21 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
```
There is nothing particurally useful in `console.app` even after turning
Cyberduck debugging mode on:
```
default 12:19:28.792415 -0700 Cyberduck 27366555: RECEIVED OUT-OF-
SEQUENCE NOTIFICATION: 307 vs 532, 512, <private>
default 12:20:09.333915 -0700 Cyberduck 27366555: RECEIVED OUT-OF-
SEQUENCE NOTIFICATION: 309 vs 536, 512, <private>
default 12:20:15.921380 -0700 Cyberduck 27366555: RECEIVED OUT-OF-
SEQUENCE NOTIFICATION: 311 vs 540, 512, <private>
default 12:20:22.104317 -0700 Cyberduck Requesting
sharingServicesForItems:<private> mask:6
default 12:20:22.104550 -0700 Cyberduck
filteredItemsFromItems:<private> [2057]--> <private>
default 12:20:22.105861 -0700 Cyberduck Discover <private>
default 12:20:22.123759 -0700 Cyberduck discovery complete: 3
plugins
default 12:20:22.124437 -0700 Cyberduck Discover done
default 12:20:22.124644 -0700 Cyberduck Discover <private>
default 12:20:22.144425 -0700 Cyberduck discovery complete: 4
plugins
default 12:20:22.144500 -0700 Cyberduck Discover done
default 12:20:22.144642 -0700 Cyberduck services: <private>
default 12:20:22.145180 -0700 Cyberduck Requesting
sharingServicesForItems:<private> mask:6
default 12:20:22.145425 -0700 Cyberduck
filteredItemsFromItems:<private> [2057]--> <private>
default 12:20:22.145947 -0700 Cyberduck Discover <private>
default 12:20:22.153916 -0700 Cyberduck discovery complete: 3
plugins
default 12:20:22.154574 -0700 Cyberduck Discover done
default 12:20:22.154618 -0700 Cyberduck Discover <private>
default 12:20:22.164258 -0700 Cyberduck discovery complete: 4
plugins
default 12:20:22.164372 -0700 Cyberduck Discover done
default 12:20:22.164552 -0700 Cyberduck services: <private>
default 12:20:22.164968 -0700 Cyberduck Requesting
sharingServicesForItems:<private> mask:6
default 12:20:22.165115 -0700 Cyberduck
filteredItemsFromItems:<private> [2057]--> <private>
default 12:20:22.165515 -0700 Cyberduck Discover <private>
default 12:20:22.173573 -0700 Cyberduck discovery complete: 3
plugins
default 12:20:22.174238 -0700 Cyberduck Discover done
default 12:20:22.174298 -0700 Cyberduck Discover <private>
default 12:20:22.184411 -0700 Cyberduck discovery complete: 4
plugins
default 12:20:22.184491 -0700 Cyberduck Discover done
default 12:20:22.184633 -0700 Cyberduck services: <private>
default 12:20:22.185144 -0700 Cyberduck Requesting
sharingServicesForItems:<private> mask:6
default 12:20:22.185333 -0700 Cyberduck
filteredItemsFromItems:<private> [2057]--> <private>
default 12:20:22.185877 -0700 Cyberduck Discover <private>
default 12:20:22.193870 -0700 Cyberduck discovery complete: 3
plugins
default 12:20:22.194551 -0700 Cyberduck Discover done
default 12:20:22.194606 -0700 Cyberduck Discover <private>
default 12:20:22.205383 -0700 Cyberduck discovery complete: 4
plugins
default 12:20:22.205486 -0700 Cyberduck Discover done
default 12:20:22.205676 -0700 Cyberduck services: <private>
```
As soon as i remove the bucket policy, i have no issues creating the
vault.
It appears that Cyberduck is ignoring my settings for S3 uploads, under
the `Encryption` headding.
Please let me know what else you need from me in order to reproduce & fix.
Thank you
--
--
Ticket URL: <https://trac.cyberduck.io/ticket/10488#comment:1>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list