storage icon indicating copy to clipboard operation
storage copied to clipboard
verified publisher icon aloneguid

Odd privilege requirements for AWS

Open lellis1936 opened this issue 5 years ago • 1 comments

Both of the following methods fail (403 result from server) string url = await storage.GetPresignedUrlAsync("mycontainer/someid", null, 86000, Amazon.S3.HttpVerb.GET);

string content = await storage.ReadTextAsync("mycontainer/someid");

when using the following user policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::test" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::test/*" ] } ] }

If the bucket policy is changed from "s3:ListBucket" to ""s3:*", the program works.

Why are additional bucket permissions needed for these requests, and precisely what additional bucket permissions are required?

lellis1936 avatar Jun 14 '20 16:06 lellis1936

I´m having a similar problem. Using S3 sdk, a query like this :

var o = await GetClient().ListObjectsV2Async(new ListObjectsV2Request
            {
                BucketName = bucketName,
                Prefix = "nf/"
            });

it works.

but, with the same config, if I send storage.ListAsync(...

I´m getting an access denied error.

Any clue?

faramos avatar Sep 22 '21 22:09 faramos