search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.06k stars 322 forks source link

aws:downloadContent ListS3Directory should not be fatal for a fixed URL #287

Closed mdaniel closed 4 years ago

mdaniel commented 4 years ago

I am trying out amazon-ssm-agent (2.3.1319.0) and am experiencing unexpected behavior

What happened

When using AWS-ApplyAnsiblePlaybooks with a SourceType of S3 and a fixed, publicly accessible path in the SourceInfo, it dies with 403 due to an attempt to ListS3Directory on a bucket that we have configured to not have List*

{
  "SourceType": [
    "S3"
  ],
  "SourceInfo": [
    "{\"path\": \"https://openraven-deploy.s3.us-west-2.amazonaws.com/stack.yaml\"}"
  ],
2020-06-12 21:26:41 ERROR [ssm-document-worker] [f6bd825d-5ba0-40b2-8e37-01ce83bb2094] [DataBackend] [pluginName=aws:downloadContent] ListS3Directory error AccessDenied: Access Denied
    status code: 403, request id: AT5RDYAH3H8J0Z2M, host id: 97NWvtvrDFwbMT+Emo3P4QzU/Nsb9Wro51LRXVJEupBDKkn6g4xR2dDIYXTRvI/Gn9DYpDAdJWY=
2020-06-12 21:26:47 INFO [ssm-document-worker] [f6bd825d-5ba0-40b2-8e37-01ce83bb2094] [DataBackend] Sending plugin downloadContent completion message

but that specified path is accessible without any S3 operations

$ curl -I https://openraven-deploy.s3.us-west-2.amazonaws.com/stack.yaml
HTTP/1.1 200 OK

What was expected

Fetch the given path as directed

I can appreciate the amazon-ssm-agent might not know ahead of time if a given path is a file or "directory," and so it attempting to call ListS3Directory is a reasonable action, but if that ListS3Directory fails, but then there is a 200-OK response for the specified path, that 200 should supersede any auto-discovery logic and the aws:downloadContent should fetch the content as directed

Thor-Bjorgvinsson commented 4 years ago

Hi mdaniel, sorry for the late response and thank you for reporting this issue. We are looking at options to address this issue. I'll update this issue ticket when a decision has been made

jacklin213 commented 4 years ago

Does commit: https://github.com/aws/amazon-ssm-agent/commit/60301534e44711a80dfe577a0fc35fd0195f71d2 resolve this issue? https://github.com/aws/amazon-ssm-agent/releases/tag/2.3.1550.0

Thor-Bjorgvinsson commented 4 years ago

Correct, this issue was addressed in release 2.3.1550. Thanks for linking the commit!