sa7mon
Error during anon ReadACL
Existing Issues
- [x] I've searched the current issues
Command
no command - library usage
Observed behavior (what happened?)
I've come across an error while using your software. It took me quite some time to find out what's happening but I think that I've figured it out maybe.
I'm scanning using this software as a go library and without using credentials:
awsProvider, err := provider.NewProvider("aws")
// more code...
scanErr := awsProvider.Scan(&b, false)
// error here...sometimes
I'm scanning multiple buckets and the error only appeared on some of them.
Here's the error message I got:
error occurred while checking for anon ReadACL: operation error S3: GetBucketAcl, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via client option, or "AWS_EC2_METADATA_DISABLED" environment variable
The solution seems to be to just set the required env vars:
AWS_ACCESS_KEY_ID=anonymous
AWS_SECRET_ACCESS_KEY=anonymous
AWS_SESSION_TOKEN=
This is supposedly what is going on:
LLM says:
The problem was in how the AWS SDK credential provider chain works. The AWS SDK for Go follows a specific order when trying to get credentials:
- Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
- Shared credentials file (~/.aws/credentials)
- EC2 Instance Metadata Service (IMDS) - for EC2 instances
- ECS credentials - for ECS tasks
- Other sources
What Was Happening Before
When you only had AWS_EC2_METADATA_DISABLED=true, the AWS SDK would:
- ✅ Skip IMDS (because it was disabled)
- ❌ Still try to get credentials from other sources in the chain
- ❌ When it couldn't find valid credentials anywhere, it would still attempt to make authenticated requests
- ❌ This caused the error you saw: "failed to refresh cached credentials, no EC2 IMDS role found"
Which would make sense seeing that some kind of credential cache couldn't be updated (since there were no credentials). Now why would it to that? Clearly anon requests shouldn't try to get credentials, right?
LLM says:
- The s3scanner was trying to check if anonymous users can read the bucket's ACL
- It called GetBucketAcl on the AWS S3 API
- Some buckets have ACLs that require authentication to read, even for unauthenticated requests
- When the AWS SDK tried to make this authenticated request, it failed because it couldn't get credentials
I've double checked and tracked down the function that threw the error. I believe it is CheckPermReadACL and that function does check on whether the API returns a 403 and handles it gracefully. Perhaps the error response is something other than 403 and the error happens? I'm not too sure sadly. I couldn't track the bug down further but perhaps you know more of what's going on.
Expected behaviour
No error should be produced since anon request should never try to get credentials
Debug output
Not using as CLI.
Error message mentioned above:
error occurred while checking for anon ReadACL: operation error S3: GetBucketAcl, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via client option, or "AWS_EC2_METADATA_DISABLED" environment variable
OS Info
No response
Config file
No response
Additional info
No response
Hey! Sorry for the late reply.
go.mod states v0.0.0-20250301184506-b6c26d67bc2a so that's the version from the commit b6c26d6