[Cyberduck-trac] [Cyberduck] #11549: Amazon S3 regression: cannot list root "/" folder of bucket in v.7.8.1 of CyberDuck. Works in v.7.7.2.
Cyberduck
trac at cyberduck.io
Sun Jan 17 22:52:56 UTC 2021
#11549: Amazon S3 regression: cannot list root "/" folder of bucket in v.7.8.1 of
CyberDuck. Works in v.7.7.2.
-------------------------+---------------------------
Reporter: martin_w | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: core | Version: 7.8.1
Severity: major | Keywords: s3 regression
Architecture: | Platform:
-------------------------+---------------------------
I have configured a variety of AWS IAM S3 credentials that provide
restricted access to particular folders on S3. These credentials and
permissions have worked well in CyberDuck for six months, but in the
latest version of CyberDuck (v.7.8.1), the credentials, whose permissions
are unchanged, no longer work. The credentials continue to work in an
alternative S3 file management tool (S3 Browser). I have rolled back to
v.7.7.2, and the credentials work fine there.
Specifically, the credentials are able to list my buckets
(`"s3:ListAllMyBuckets", "s3:GetBucketLocation"`), but they are unable to
list the "`/`" root folder content in version v.7.8.1. It works perfectly
in v.7.7.2. Oddly, even with v.7.8.1, the credentials are still able to
read contents of subfolders, provided that I provide their path in the
Bookmark configuration.
So, for example, the credentials are configured to allow read-write access
in `/mybucket2/folderA`.
The credentials are able to read the bucket list:
{{{
/mybucket1
/mybucket2
/mybucket3
}}}
But when I try to open `/mybucket2`, I get a "Listing directory mybucket2
failed" error.
However, if I configure the bookmark path to `/mybucket2/folderA`, I am
able to open and see the contents of that folder. If I try to navigate to
the parent folder, I get an error again.
I have toggled the Log Drawer and compared the behavior for v.7.7.2 vs.
v.7.8.1 by going through the same sequence of steps for each. The error in
version 7.8.1 occurs with the following HTTP request below.
v.7.7.2: `GET /?encoding-type=url&max-keys=1000&prefix&delimiter=%2F
HTTP/1.1`
v.7.8.1: `GET /?encoding-type=url&max-keys=1000&delimiter=%2F HTTP/1.1`
The v.7.8.1 HTTP request is missing the "'''prefix'''" query string
parameter which, even though it is empty for v.7.7.2, appears to be
necessary for S3 to be happy.
I am attaching the Log Drawer output
Below is the IAM JSON policy for account I am testing. (I have changed the
bucket and folder names.) The IAM policy gives read/write access to three
folders at the top level of a one specific bucket.
{{{
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowNavigationToTargetFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-example-bucket"
],
"Condition": {
"StringEquals": {
"s3:delimiter": "/",
"s3:prefix": [
"",
"Folder_A/",
"Folder_B/",
"Folder_C/"
]
}
}
},
{
"Sid": "AllowListingOfTargetFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-example-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"Folder_A/*",
"Folder_B/*",
"Folder_C/*"
]
}
}
},
{
"Sid": "AllowAddDeleteListOnlyInFolder",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::my-example-bucket/Folder_A/*",
"arn:aws:s3:::my-example-bucket/Folder_B/*",
"arn:aws:s3:::my-example-bucket/Folder_C/*"
]
}
]
}
}}}
--
Ticket URL: <https://trac.cyberduck.io/ticket/11549>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list