OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

S3 PutObject works but List/Delete fails

  • Thread starter Thread starter leoOrion
  • Start date Start date
L

leoOrion

Guest
I am creating a session token by setting the permissions like this. This is done in kotlin.

Code:
    val stsClient = applicationContext.getBean("awsSecurityTokenClient", awsClient.getBasicCredentials()) as AWSSecurityTokenService
    val folderName = "<folder>"
    val keyRights = Statement(Statement.Effect.Allow)
    keyRights.actions.addAll(listOf(S3Actions.PutObject, S3Actions.DeleteObject, S3Actions.ListObjects, S3Actions.GetObject))
    keyRights.setResources(arrayListOf(Resource("arn:aws:s3:::$bucket/${folderName}/*")))
    val statementList = listOf(keyRights)
    val federationToken = stsClient.getFederationToken(getFederationTokenRequest(bucket, statementList))
    val sessionToken = SessionToken(federationToken)

Code:
private fun getFederationTokenRequest(userId: Any, accessStatements: List<Statement>): GetFederationTokenRequest {
    val tokenRequest = GetFederationTokenRequest()
    val policy = Policy()

    policy.statements = accessStatements
    tokenRequest.policy = policy.toJson()
    tokenRequest.name = "$userId"
    tokenRequest.durationSeconds = expireAt * 3600
    return tokenRequest
  }

The policy json from debugging is as -

Code:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::<bucket_name>/<path>/"
      ]
    }
  ]
}

The session tokens is then used to upload files to the allowed path. This works as I can see the upload work and the files reflect in S3. This is in python.

But the same token, if i try to do a list or delete fails.

Code:
    session = boto3.Session(aws_access_key_id=s3_meta['accessToken'],
                            aws_secret_access_key=s3_meta['secureToken'],
                            aws_session_token=s3_meta['sessionToken'])
    s3 = session.resource('s3')

This fails:

Code:
      bucket = s3.Bucket(bucket_name)
      bucket.objects.filter(Prefix=path_in_bucket).delete()
#Failue: ClientError: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

This works:

Code:
s3.meta.client.upload_file(file, bucket_name, bucket_upload_path)

I have clearly set list and delete in the allowed actions. How is Put working while the other 2 fail ? What am I missing here ?
<p>I am creating a session token by setting the permissions like this. This is done in kotlin.</p>
<pre><code> val stsClient = applicationContext.getBean("awsSecurityTokenClient", awsClient.getBasicCredentials()) as AWSSecurityTokenService
val folderName = "<folder>"
val keyRights = Statement(Statement.Effect.Allow)
keyRights.actions.addAll(listOf(S3Actions.PutObject, S3Actions.DeleteObject, S3Actions.ListObjects, S3Actions.GetObject))
keyRights.setResources(arrayListOf(Resource("arn:aws:s3:::$bucket/${folderName}/*")))
val statementList = listOf(keyRights)
val federationToken = stsClient.getFederationToken(getFederationTokenRequest(bucket, statementList))
val sessionToken = SessionToken(federationToken)
</code></pre>
<pre><code>private fun getFederationTokenRequest(userId: Any, accessStatements: List<Statement>): GetFederationTokenRequest {
val tokenRequest = GetFederationTokenRequest()
val policy = Policy()

policy.statements = accessStatements
tokenRequest.policy = policy.toJson()
tokenRequest.name = "$userId"
tokenRequest.durationSeconds = expireAt * 3600
return tokenRequest
}
</code></pre>
<p>The policy json from debugging is as -</p>
<pre><code>{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<bucket_name>/<path>/"
]
}
]
}
</code></pre>
<p>The session tokens is then used to upload files to the allowed path. This works as I can see the upload work and the files reflect in S3. This is in python.</p>
<p>But the same token, if i try to do a list or delete fails.</p>
<pre><code> session = boto3.Session(aws_access_key_id=s3_meta['accessToken'],
aws_secret_access_key=s3_meta['secureToken'],
aws_session_token=s3_meta['sessionToken'])
s3 = session.resource('s3')

</code></pre>
<p>This fails:</p>
<pre><code> bucket = s3.Bucket(bucket_name)
bucket.objects.filter(Prefix=path_in_bucket).delete()
#Failue: ClientError: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
</code></pre>
<p>This works:</p>
<pre><code>s3.meta.client.upload_file(file, bucket_name, bucket_upload_path)
</code></pre>
<p>I have clearly set list and delete in the allowed actions. How is Put working while the other 2 fail ? What am I missing here ?</p>
Continue reading...
 

Latest posts

H
Replies
0
Views
1
Hür Doğan ÜNLÜ
H
Top