joeyh
commented
2 years ago Note that it's possible for a S3 bucket to even allow anonymous writes! Probably not a good idea, but AWS documentation does show how to do it.
Closed joeyh closed 1 year ago
joeyh
commented
2 years ago Note that it's possible for a S3 bucket to even allow anonymous writes! Probably not a good idea, but AWS documentation does show how to do it.
joeyh
commented
2 years ago Here is an implementation, still needs a little work. https://github.com/joeyh/aws/commit/c99b298f40683e6a9ec6fdcc4896407d8073416e
joeyh
commented
2 years ago That patch definitely needs to support S3 v4 before it can be merged.
The handling of NoCredentials by signature is the other possibly concerning thing about it, since other modules use signature and would silently generate badly signed requests for NoCredentials as the patch stands. The affected modules are Iam, Ses, SimpleDb, and Sqs. Probably most of these do not support any kind of unauthenticated access. I don't see any good way to make those signal that they've been provided with SignatureData that they cannot support.
joeyh
commented
1 year ago I've updated my patch, and consider it mergeable now. Will send a pull request.
I changed my approach because NoCredentials broke too many other modules (more than I listed in my comment above). The new approach avoids breakage entirely. When a module does not support anonymous access, it will behave the same as if the user had specified an empty AWS access key and secret key.
Public S3 buckets can support operations like GetObject and GetBucket without any authentication headers being provided. This library does not support generating such requests.
As a proof of concept I hacked up s3SignQuery to omit those headers, and used dummy AWS credentials. That worked. It does not seem possible to do that without modifying aws. I have users who this would be a useful thing to support.