Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 on node-red-node-aws will not upload if account cannot access root directory of bucket #294

Open
5 tasks done
joshuacurtiss opened this issue Mar 4, 2022 · 2 comments
Open
5 tasks done

S3 on node-red-node-aws will not upload if account cannot access root directory of bucket #294

joshuacurtiss opened this issue Mar 4, 2022 · 2 comments

Comments

@joshuacurtiss
Copy link

joshuacurtiss commented Mar 4, 2022
edited
Loading

Which node are you reporting an issue on?

node-red-node-aws

What are the steps to reproduce?

Configure AWS connection to a bucket where credentials do not have list/read/write access to the root directory of the bucket.

my-bucket - Credentials cannot list/read/write
my-bucket/accounts/my-account/ - Have list/read/write access

What happens?

Upon deploying changes, debugger receives error "AWS S3 error: AccessDenied: Access Denied", and then any messages passed to the node will not write objects to any path in the bucket.

What do you expect to happen?

Expected that the node will still attempt to write objects to a path in the bucket and only return "Access Denied" error if indeed the credentials don't have access to the specific path. Currently, however, the node will not function at all if the root path is inaccessible.

Please tell us about your environment:

  • Node-RED version: 2.2.2
  • node.js version: 14.18.2
  • npm version: 6.14.15
  • Platform/OS: Docker container nodered/node-red
  • Browser: Chrome
@HenryckeBSchenberk
Copy link

Any news? I have the same problem but can't figrout how configure the permissions whiout "fullAccessS3" to do upload works.

@jeanmichel-nwsb
Copy link
Contributor

You should be able to give ListBucket permission limited to the root folder as well to the folders you want to provide access to
Assuming bucket my-bucket with 2 "folder-key" private/ and shared/
You can have a policy statement such as

        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "",
                        "shared/*"
                    ]
                }
            }

While you can argue that it shouldn't be necessary to provide the ListBucket permission, and you are right, users can perfectly PutObject and GetObject without it, it is not uncommon that many software requires the above.
One of the reason is that without the ListBucket permission, AWS will always return a 403 Forbidden if you try to access an not existing key instead of 404 Not found.
This is for security reason as if you can't list the bucket content, you shouldn't be allowed to "probe" for file existance.
With ListBucket permission you will clearly be returned a 404 for non existing key and 403 for permission errors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joshuacurtiss @jeanmichel-nwsb @HenryckeBSchenberk