search

CubeCoders / AMP

Issue tracking and documentation for AMP
https://cubecoders.com/AMP
MIT License
207 stars 38 forks source link

AMP cannot use an existing S3 bucket for backups #1015

Open FrozenSoda opened 7 months ago

FrozenSoda commented 7 months ago

Bug Report

System Information

Operating System

Ubuntu Server 22.04.4

AMP Version

2.5 - 20240322.1 (Mainline)

I confirm:

Symptoms

What are you trying to do?

Upload a backup to an S3 bucket that was not created by AMP.

What are you expecting to happen?

That the backup is successfully uploaded, provided that AMP is supplied a key with the proper permissions to that bucket.

What is actually happening?

A notification appears with a progress bar stating "Uploading Backup to S3", then disappears after a few seconds. When looking at the AMP instance log, you can find:

[Core:admin Error]     : [0] (AmazonS3Exception) : not entitled
[Core:admin Error]     : [1] (HttpErrorResponseException) : The remote server returned an error: (403) .

If the S3 key supplied to AMP permits full access to all buckets, including the ability to create new buckets, you instead get the errors:

[Core:admin Error]     : [0] (BucketAlreadyOwnedByYouException) : Your previous request to create the named bucket succeeded and you already own it.
[Core:admin Error]     : [1] (HttpErrorResponseException) : The remote server returned an error: (409) .

As a consequence, you must let AMP create the bucket for you, which requires AMP to use an application key with access to all buckets in your account, which is bad from a security standpoint if the AMP instance were to get compromised.

Reproduction

  1. Create an instance in AMP of any server, for example Minecraft Java Edition.
  2. Create a bucket in your S3 compatible cloud storage along with an application key that gives read- and write-access to that bucket.
  3. Select "Manage" on the AMP instance, go to "Configuration > Cloud Backups" and enable "Use S3 Storage for Backups", and fill in the other fields. Use the bucket and key you just created.
  4. Exit configuration, then go to "Backups" and create a backup.
  5. A backup will be created, and AMP will attempt to upload it to S3, but fails silently.
  6. Return to the AMP main menu, right-click the instance, select "View Logs", "Refresh Listing" in the top-right corner, and double click the latest log.
  7. Observe that the 403 error occurred during the backup.
  8. Repeat steps 3-6 with an application key giving full access to all buckets, and observe the 409 error.
FrozenSoda commented 6 months ago

It seems that this issue only appears when using uppercase letters in the bucket name. AWS does not allow this, but some other S3-compatible providers such as Backblaze B2 does.

Perhaps the AWS SDK does not find the bucket as the name is converted to lowercase when looking for it, after which AMP wrongly tries to create it.

To prevent this issue, maybe AMP should validate the bucket name and ensure it is lowercase only. I don't know if breaking other naming rules causes issues: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html