search

MikaAK / s3-plugin-webpack

Uploads files to s3 after complete
MIT License
486 stars 125 forks source link

ERROR in S3Plugin: AccessDenied: Access Denied #28

Closed joshunger closed 8 years ago

joshunger commented 8 years ago

I'm getting an access denied but my command line tools work executing a similar command of aws s3 sync. What is the best way to debug at this point? Thanks.

MikaAK commented 8 years ago

I'm not to sure. Could be a problem with your region or more. This isn't really a bug and I cannot really help debug this. Closing, If you think this is a bug, please provide more info and reopen. Thanks, Mika

joshunger commented 8 years ago

I see the problem. You're setting ACL public-read but my permissions on my upload account only allow PutObject but not PutObjectACL. That's seems like a security concern?

MikaAK commented 8 years ago

It's not really a security concern because primarily you use the things on s3 for display and need public-read. You have a unique use case that I have never come across. The config allows you to set custom s3Options so you can set 

{
  s3Options: {ACL: ''}
}
paolavness commented 7 years ago

It would be helpful is this was mentioned somehwere in the documentation. We've spent quite a bit of time debugging this - turns out, for our specific use case where IAM users setup with restricted access, the plugin fails to upload with 'access denied'. setting ACL: '' resolved this - would have been helpful to know this sooner.

MikaAK commented 7 years ago

https://github.com/MikaAK/s3-plugin-webpack/commit/e901ce79cef16ad28b33e2258d6e629af4a050cd

@paolavness

hsanjuan commented 7 years ago

It's not really a security concern because primarily you use the things on s3 for display and need public-read.

It IS a security concern. Cloudfront supports WAF. WAF allows to whitelist only specific traffic. Bucket policies support allowing access only from Cloudfront, which is the recommended way to do permissions for buckets when using Cloudfront.

Instead of letting the user configure the bucket policies to their needs and using default ACLs (non public), you are overriding them with non-default values, on a per-object basis, in a non-obvious way which silently bypasses any security policies set for the bucket.

jnoss commented 6 years ago

I tested and it looks like ACL is actually a parameter on s3UploadOptions not s3Options - so to override the default ACL it's necessary to set:

s3UploadOptions: {
  Bucket: 'MyBucket'
  ACL: 'private'
},

(or other ACL as desired).

MikaAK commented 6 years ago

Instead of letting the user configure the bucket policies to their needs and using default ACLs (non public), you are overriding them with non-default values, on a per-object basis, in a non-obvious way which silently bypasses any security policies set for the bucket.

As @jnoss pointed out you can override the ACL. For a vast majority of cases ACL: public-read is probably fine, if not change it 😃

tobinbc commented 5 years ago

Just to further this - the default option for S3 is to forcibly deny attempts to make objects public. So without setting ACL:'' uploads will be denied by default. Either do as here, or explicitly enable allowing a public ACL.

MikaAK commented 5 years ago

@tobinbc I've never had that be default did this change recently?! I've used this on countless buckets without explicitly enabling public ACL

tobinbc commented 5 years ago

In theory, yes. https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-amazon-s3-block-public-access/

MikaAK commented 5 years ago

You must specifically enable that though so if you're doing that you should already be aware of its impact!!